Home page logo

snort logo Snort mailing list archives

Re: possible fp on 17297
From: rmkml <rmkml () yahoo fr>
Date: Tue, 16 Nov 2010 22:44:50 +0100 (CET)

Hi Matan,
added more references:
-Maybe check if any ports is good for you or maybe add exception port?
-Maybe add "light" within:200; for checking unicode multibyte,
-and maybe add "light" searching long null byte (separator) ending filename like: isdataat:64,relative; 
content:!"|00|"; within:64;

but the best is how length multibyte unicode vulnerability?

do you have a FP example please?

On Tue, 16 Nov 2010, matan monitz wrote:

i have been trying to investigate a possible fp for 17297 but i can't really figure out what the sig is looking for
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename 
handling buffer overflow attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90 73 00
00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297; rev:3;)
i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats a rar file header but what is: content:"|E2 CA D4 
B2 E2 CA D4 B2|";?  is it suppose to be something in unicode?
how sure should i be regarding this signature?
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]