Home page logo
/

snort logo Snort mailing list archives

Re: FP 17246
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Thu, 14 Oct 2010 11:00:13 -0400


Current revision of this rule is 3. Also, it now resides in 
deleted.rules.

On Thu, 14 Oct 2010 08:43:06 -0600, Lay, James wrote:
Rule hit:
10/14-08:38:47.457462  [**] [1:17246:1] SPECIFIC-THREATS Multiple 
vendor Antivirus magic byte detection evasion attempt [**] 
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 
209.85.225.148:80 -> external_IP:61121
 
Rule:
:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection 
evasion attempt"; flow:established,to_client; 
content:"Content|2D|Type|3A 20|text|2F|html"; nocase; http_header; 
pcre:"/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:cve,2005-3370; reference:cve,2005-3371; 
reference:cve,2005-3372; reference:cve,2005-3373; 
reference:cve,2005-3374; reference:cve,2005-3375; 
reference:cve,2005-3376; reference:cve,2005-3377; 
reference:cve,2005-3378; reference:cve,2005-3379; 
reference:cve,2005-3380; reference:cve,2005-3381; 
reference:cve,2005-3382; classtype:attempted-user; sid:17246; rev:1;)
 
Packet dump:
08:39:10.499895 IP 209.85.225.148.80 > 66.193.105.132.61121: Flags 
[P.], ack 721, win 9648, length 204
        0x0000:  4500 00f4 e376 0000 3906 3e5e d155 e194  E....v..9.>^.U..
        0x0010:  42c1 6984 0050 eec1 18f5 f9bc 5329 87af  B.i..P......S)..
        0x0020:  5018 25b0 637e 0000 4854 5450 2f31 2e31  P.%.c~..HTTP/1.1
        0x0030:  2032 3030 204f 4b0d 0a43 6f6e 7465 6e74  .200.OK..Content
        0x0040:  2d54 7970 653a 2069 6d61 6765 2f67 6966  -Type:.image/gif
        0x0050:  0d0a 5072 6167 6d61 3a20 6e6f 2d63 6163  ..Pragma:.no-cac
        0x0060:  6865 0d0a 4361 6368 652d 436f 6e74 726f  he..Cache-Contro
        0x0070:  6c3a 206e 6f2d 6361 6368 650d 0a43 6f6e  l:.no-cache..Con
        0x0080:  7465 6e74 2d4c 656e 6774 683a 2034 330d  tent-Length:.43.
        0x0090:  0a44 6174 653a 2054 6875 2c20 3134 204f  .Date:.Thu,.14.O
        0x00a0:  6374 2032 3031 3020 3134 3a33 393a 3132  ct.2010.14:39:12
        0x00b0:  2047 4d54 0d0a 5365 7276 6572 3a20 4746  .GMT..Server:.GF
        0x00c0:  452f 322e 300d 0a0d 0a47 4946 3839 6101  E/2.0....GIF89a.
       0x00d0:  0001 0080 0100 0000 00ff ffff 21f9 0401  ............!...
        0x00e0:  0000 0100 2c00 0000 0001 0001 0000 0202  ....,...........
        0x00f0:  4c01 003b                                L..;
 
Looks like a .gif from google….
 
James
 


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.

http://p.sf.net/sfu/beautyoftheweb_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]