Home page logo
/

snort logo Snort mailing list archives

Re: Possible FP 17363
From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 25 Oct 2010 12:44:17 -0400

Actually, this rule is currently at rev:3 - adding a flowbit check and some
additional bytes to the content match - due to earlier false positive
reports. If you get further FPs with the current revision of the rule,
please let us know.

On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr> wrote:

Hi James,
maybe for "small" reduce FP add "isdataat:255,relative;" after byte_test()?
another maybe null byte are separator? and instead "isdataat:255,relative;
content:!"|00|"; within:255;" ?
Regards
Rmkml

PS: http://www.securityfocus.com/archive/1/archive/1/456578/100/0/threaded



On Mon, 25 Oct 2010, Lay, James wrote:


Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Apple computer finder DMG volume name memory corruption";
flow:to_client,established;
content:"|4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:cve,2007-0197;
classtype:attempted-user; sid:17363; rev:1;)



Rule hit:

10/25-09:36:34.116283  [**] [1:17363:1] WEB-CLIENT Apple computer finder
DMG volume name memory corruption [**] [Classification: Attempted User
Privilege Gain]
[Priority: 1] {TCP} 209.85.225.106:80 -> 66.193.105.132:41579



Packet dump:

09:36:34.116283 IP 209.85.225.106.80 > 66.193.105.132.41579: Flags [.],
ack 1, win 6432, length 1400

        0x0000:  4500 05a0 ca35 0000 3906 531d d155 e16a  E....5..9.S..U.j

        0x0010:  42c1 6984 0050 a26b 6789 a15d 278f 81de  B.i..P.kg..]'...

        0x0020:  5010 1920 a7a4 0000 6f74 7970 652e 6469  P.......otype.di

        0x0030:  7361 626c 655d 2c5b 6175 2c75 695d 2c5b  sable],[au,ui],[

        0x0040:  6275 2c66 756e 6374 696f 6e28 297b 7265  bu,function(){re

        0x0050:  7475 726e 2074 7970 656f 6620 7466 3d3d  turn.typeof.tf
==

        0x0060:  2273 7472 696e 6722 3f74 663a 2265 6e22  "string"?tf:"en"

        0x0070:  7d5d 2c0a 5b54 752c 6478 2e6c 6f61 645d  }],.[Tu,dx.load]

        0x0080:  2c5b 5575 2c64 782e 4772 5d2c 5b56 752c  ,[Uu,dx.Gr],[Vu,

        0x0090:  6478 2e63 6c65 6172 5d2c 5b57 752c 6478  dx.clear],[Wu,dx

        0x00a0:  2e43 665d 2c5b 5875 2c64 782e 4a5d 2c5b  .Cf],[Xu,dx.J],[

        0x00b0:  5975 2c64 782e 596c 5d2c 5b5a 752c 6478  Yu,dx.Yl],[Zu,dx

        0x00c0:  2e49 645d 2c5b 2475 2c64 782e 5669 5d2c  .Id],[$u,dx.Vi],

        0x00d0:  5b61 762c 6478 2e54 695d 2c5b 6276 2c64  [av,dx.Ti],[bv,d

        0x00e0:  782e 7a71 5d2c 5b63 762c 6478 2e59 695d  x.zq],[cv,dx.Yi]

        0x00f0:  2c5b 6476 2c64 782e 4a62 5d2c 5b65 762c  ,[dv,dx.Jb],[ev,

        0x0100:  6478 2e7a 665d 2c5b 6676 2c64 782e 6765  dx.zf],[fv,
dx.ge

        0x0110:  7450 6f6c 796c 696e 655d 2c5b 6776 2c64  tPolyline],[gv,d

        0x0120:  782e 4471 5d2c 5b4c 752c 6778 2e73 686f  x.Dq],[Lu,gx.sho

        0x0130:  775d 2c5b 4d75 2c67 782e 6869 6465 5d2c  w],[Mu,gx.hide],

        0x0140:  5b4e 752c 6778 2e48 5d2c 5b4f 752c 6778  [Nu,gx.H],[Ou,gx

        0x0150:  2e51 625d 2c5b 5075 2c67 782e 7365 7450  .Qb],[Pu,gx.setP

        0x0160:  6172 616d 6574 6572 5d2c 5b4c 762c 6578  arameter],[Lv,ex

        0x0170:  2e6c 795d 2c5b 4d76 2c65 782e 5249 5d2c  .ly],[Mv,ex.RI],

        0x0180:  5b4e 762c 6578 2e59 495d 2c5b 5176 2c66  [Nv,ex.YI],[Qv,f

        0x0190:  782e 6869 6465 5d2c 5b52 762c 6678 2e73  x.hide],[Rv,fx.s

        0x01a0:  686f 775d 2c5b 5376 2c66 782e 485d 2c5b  how],[Sv,fx.H],[

        0x01b0:  5476 2c66 782e 7643 5d2c 5b55 762c 6678  Tv,fx.vC],[Uv,fx

        0x01c0:  2e70 695d 2c5b 5676 2c66 782e 7265 6d6f  .pi],[Vv,fx.remo

        0x01d0:  7665 5d2c 5b57 762c 6678 2e66 6f63 7573  ve],[Wv,fx.focus

        0x01e0:  5d2c 5b58 762c 6678 2e62 6c75 725d 2c5b  ],[Xv,fx.blur],[

        0x01f0:  5976 2c66 782e 246c 5d2c 5b5a 762c 6678  Yv,fx.$l],[Zv,fx

        0x0200:  2e4b 6e5d 2c5b 2476 2c66 782e 5461 5d2c  .Kn],[$v,fx.Ta],

        0x0210:  5b61 772c 6678 2e4d 6c5d 2c5b 6277 2c66  [aw,fx.Ml],[bw,f

        0x0220:  782e 636b 5d2c 5b63 772c 6678 2e62 6b5d  x.ck
],[cw,fx.bk]

        0x0230:  2c5b 6477 2c66 782e 6944 5d2c 5b65 772c  ,[dw,fx.iD],[ew,

        0x0240:  6678 2e63 6d5d 2c5b 6677 2c66 782e 6961  fx.cm
],[fw,fx.ia

        0x0250:  5d2c 5b67 772c 6678 2e57 695d 5d3b 0a76  ],[gw,fx.Wi]];.v

        0x0260:  6c2e 5265 7475 726e 5661 6c75 6573 3d7b  l.ReturnValues={

        0x0270:  5355 4343 4553 533a 3230 302c 5345 5256  SUCCESS:200,SERV

        0x0280:  4552 5f45 5252 4f52 3a35 3030 2c4e 4f5f  ER_ERROR:500,NO_

        0x0290:  4e45 4152 4259 5f50 414e 4f3a 3630 307d  NEARBY_PANO:600}

        0x02a0:  3b79 6c2e 4572 726f 7256 616c 7565 733d  ;yl.ErrorValues=

        0x02b0:  7b4e 4f5f 4e45 4152 4259 5f50 414e 4f3a  {NO_NEARBY_PANO:

        0x02c0:  3630 302c 4e4f 5f50 484f 544f 3a36 3031  600,NO_PHOTO:601

        0x02d0:  2c46 4c41 5348 5f55 4e41 5641 494c 4142  ,FLASH_UNAVAILAB

        0x02e0:  4c45 3a36 3033 7d3b 4172 7261 792e 7072  LE:603};Array.pr

        0x02f0:  6f74 6f74 7970 652e 7075 7368 2e61 7070  ototype.push.app

        0x0300:  6c79 2848 772c 6675 6e63 7469 6f6e 2829  ly(Hw,function()

        0x0310:  7b76 6172 2061 3d5b 5d3b 613d 612e 636f  {var.a=[];a=
a.co

        0x0320:  6e63 6174 2868 7728 2929 3b61 3d61 2e63  ncat(hw());a=a.c

        0x0330:  6f6e 6361 7428 6a77 2829 293b 7265 7475  oncat(jw());retu

        0x0340:  726e 2061 3d61 2e63 6f6e 6361 7428 6c77  rn.a=a.concat(lw

        0x0350:  2829 297d 2829 293b 0a72 662e 7075 7368  ())}());.rf.push

        0x0360:  2866 756e 6374 696f 6e28 6129 7b51 6428  (function(a){Qd(

        0x0370:  612c 7977 2c7a 772c 4177 2c47 772c 6878  a,yw,zw,Aw,Gw,hx

        0x0380:  2c48 772c 7877 297d 293b 6675 6e63 7469  ,Hw,xw)});functi

        0x0390:  6f6e 2069 7828 612c 6229 7b76 6172 2063  on.ix(a,b){var.c

        0x03a0:  3d6e 6577 2056 693b 632e 6d61 7054 7970  =new.Vi;c.mapTyp

        0x03b0:  6573 3d62 7c7c 693b 4466 2e63 616c 6c28  es=b||i;Df.call(

        0x03c0:  7468 6973 2c61 2c63 293b 4428 7468 6973  this,a,c);D(this

        0x03d0:  2c4b 612c 6675 6e63 7469 6f6e 2864 2c66  ,Ka,function(d,f

        0x03e0:  297b 7628 7468 6973 2c4a 612c 7468 6973  ){v(this,Ja,this

        0x03f0:  2e66 6528 6429 2c74 6869 732e 6665 2866  .fe(d),this.fe(f

        0x0400:  2929 7d29 7d0a 4328 6978 2c44 6629 3b6c  ))})}.C(ix,Df);l

        0x0410:  3d69 782e 7072 6f74 6f74 7970 653b 6c2e  =ix.prototype;l.

        0x0420:  6449 3d66 756e 6374 696f 6e28 297b 7661  dI=function(){va

        0x0430:  7220 613d 7468 6973 2e56 2829 3b72 6574  r.a=this.V();ret

        0x0440:  7572 6e20 6e65 7720 7328 612e 6c6e 6728  urn.new.s(a.lng(

        0x0450:  292c 612e 6c61 7428 2929 7d3b 0a6c 2e24  ),a.lat())};.l.$

        0x0460:  483d 6675 6e63 7469 6f6e 2829 7b76 6172  H=function(){var

        0x0470:  2061 3d74 6869 732e 4a28 293b 7265 7475  .a=this.J();retu

        0x0480:  726e 206e 6577 2078 6428 5b61 2e70 6228  rn.new.xd([a.pb(

        0x0490:  292c 612e 6f62 2829 5d29 7d3b 0a6c 2e66  ),a.ob()])};.l.f

        0x04a0:  4a3d 6675 6e63 7469 6f6e 2829 7b76 6172  J=function(){var

        0x04b0:  2061 3d74 6869 732e 4a28 292e 6962 2829  .a=this.J().ib()

        0x04c0:  3b72 6574 7572 6e20 6e65 7720 4128 612e  ;return.new.A(a.

        0x04d0:  6c6e 6728 292c 612e 6c61 7428 2929 7d3b  lng(),a.lat())};

        0x04e0:  0a6c 2e4f 673d 6675 6e63 7469 6f6e 2829  .l.Og=function()

        0x04f0:  7b72 6574 7572 6e20 7468 6973 2e66 6528  {return.this.fe(

        0x0500:  7468 6973 2e49 2829 297d 3b0a 6c2e 5861  this.I())};.l.Xa

        0x0510:  3d66 756e 6374 696f 6e28 6129 7b69 6628  =function(a){if(

        0x0520:  7468 6973 2e6a 6128 2929 4466 2e70 726f  this.ja())Df.pro

        0x0530:  746f 7479 7065 2e58 612e 6361 6c6c 2874  totype.Xa.call(t

        0x0540:  6869 732c 6129 3b65 6c73 6520 7468 6973  his,a);else.this

        0x0550:  2e67 473d 617d 3b0a 6c2e 4846 3d66 756e  .gG=a};.l.HF=fun

        0x0560:  6374 696f 6e28 612c 6229 7b76 6172 2063  ction(a,b){var.c

        0x0570:  3d6e 6577 204e 2861 2e79 2c61 2e78 293b  =new.N(a.y,a.x);

        0x0580:  6966 2874 6869 732e 6a61 2829 297b 7661  if(this.ja()){va

        0x0590:  7220 643d 7468 6973 2e66 6528 6229 3b74  r.d=this.fe(b);t



Looks like google maps to me.





James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704






------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]