Home page logo

snort logo Snort mailing list archives

Re: possible fp on 17297
From: matan monitz <mmonitz () gmail com>
Date: Thu, 18 Nov 2010 16:29:15 +0200

hello rmkml
i have read those references before and i have a basic understanding of the
vulnerability, however this does not explain the second content string in
the signature.
filtering based on ports is not relevent since this sig is meant to look at
files being transferd at any protocol.

i can't figure out what you mean by "light"...

attached is the payload from the alerts
you can also strip the http headers with some hex-editor and get the
beginning of valid rar files
weird, they all seem like valid symantec endpoint protection updates...

anyone from VRT care to enlighten us?

On Tue, Nov 16, 2010 at 11:44 PM, rmkml <rmkml () yahoo fr> wrote:

Hi Matan,
added more references:
-Maybe check if any ports is good for you or maybe add exception port?
-Maybe add "light" within:200; for checking unicode multibyte,
-and maybe add "light" searching long null byte (separator) ending filename
like: isdataat:64,relative; content:!"|00|"; within:64;

but the best is how length multibyte unicode vulnerability?

do you have a FP example please?

On Tue, 16 Nov 2010, matan monitz wrote:

i have been trying to investigate a possible fp for 17297 but i can't
really figure out what the sig is looking for
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee
VirusScan on-access scanner long unicode filename handling buffer overflow
attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90
73 00
00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297;
i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats
a rar file header but what is: content:"|E2 CA D4 B2 E2 CA D4 B2|";?  is it
suppose to be something in unicode?
how sure should i be regarding this signature?

Attachment: payload.txt

Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]