Home page logo
/

snort logo Snort mailing list archives

Re: possible fp on 17297
From: rmkml <rmkml () yahoo fr>
Date: Tue, 16 Nov 2010 22:44:50 +0100 (CET)

Hi Matan,
added more references:
 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=515
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2152
 http://www.kb.cert.org/vuls/id/324929
 http://www.securityfocus.com/bid/23543
 http://xforce.iss.net/xforce/xfdb/33732
-Maybe check if any ports is good for you or maybe add exception port?
-Maybe add "light" within:200; for checking unicode multibyte,
-and maybe add "light" searching long null byte (separator) ending filename like: isdataat:64,relative; 
content:!"|00|"; within:64;

but the best is how length multibyte unicode vulnerability?

do you have a FP example please?
Regards
Rmkml


On Tue, 16 Nov 2010, matan monitz wrote:

hello
i have been trying to investigate a possible fp for 17297 but i can't really figure out what the sig is looking for
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename 
handling buffer overflow attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90 73 00
00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297; rev:3;)
i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats a rar file header but what is: content:"|E2 CA D4 
B2 E2 CA D4 B2|";?  is it suppose to be something in unicode?
how sure should i be regarding this signature?
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault