FPs for COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow, Sig ID, 100000892

[Russell Fulton <r.fulton () auckland ac nz>]

I'm seeing several thousand hits a day on this mostly from a single pair
of addresses.

Russell.


> META
> --------
> SID   CID     TimeStamp               Signature
> 6     1228538 2006-11-17 10:18:14     COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow
> Sig ID
> 100000892
>
> Sensor Hostname                               Sensor Interface
> monitor-dmzo.isec.auckland.ac.nz      new dmz sensor
>
> IP
> --------
> Source Address        Dest Address    Ver     Hdr Len
> 130.216.59.17 74.112.73.90    4       5
> TOS   length  ID      flags   offset  TTL     chksum
> 0     880     7034    2       0       126     35930
>
> Resolved Source
> c.liang.glg.auckland.ac.nz
>
> Resolved Dest
> Could Not Resolve
>
>
> TCP
> --------
> Source Port   Dest Port       Seq             Ack             
> 2569          1720            129613138       3274426388
> Offset        Reserved        Flags   Window  Checksum        Urgent Ptr
> 5     0               24      65535   9277            0
>
> Options
> --------
> None
>
>
> Flags
> --------
> RB 1  RB 0    URG     ACK     PSH     RST     SYN     FIN
>                       X       X                               
>
> DATA
> --------
> 08B4407CA02BFB9E1B01  ..@|.+....
> 764CB68DA53416D0AF5C  vL...4...\
> 2F5A66047E7432819AA5  /Zf.~t2...
> 242838D1293BE5C2BB08  $(8.);....
> 9150CC4B0908C80D4F7D  .P.K....O}
> E41999BACC3069845326  .....0i.S&
> 4C254C83FD5A008E8788  L%L..Z....
> B25C21E562D50E5979C9  .\!.b..Yy.
> DD9832020156C410F798  ..2..V....
> 49543431495D16506451  IT41I].PdQ
> 520A2E93D16B70A8D6B2  R....kp...
> 2828AA910160B56A26B9  ((...`.j&.
> 348CF44A468A08EA0D68  4..JF....h
> ECB92C4AFAEB927F1C64  ..,J.....d
> 305E5CACD08A1196D93D  0^\......=
> FFA88C67E283307E1F72  ...g..0~.r
> A7E0DAE086222D43EDBE  ....."-C..
> B8A9AAAB877398E9EFF4  .....s....
> 5CDDE13D10BA9E046607  \..=....f.
> A932A024D9C05FC9C211  .2.$.._...
> 3B4D0DE54CCB79FBEEFD  ;M..L.y...
> B5B6EB2A57A28211116F  ...*W....o
> 64F31ABDE53631343144  d....6141D
> AADE92A15F1D35DAA2BD  ...._.5...
> D1E3AD2FC0870408235E  .../....#^
> 97047106948F95F8CDD0  ..q.......
> 4FE617E7F3623070C661  O....b0p.a
> 13C22225FF45DF9F2378  .."%.E..#x
> A3322917548DA8446628  .2).T..Df(
> 4CFE506B5AE64C9988CF  L.PkZ.L...
> B69A92E700A201693BD4  .......i;.
> CF0C20D24ED44AB9AEFF  .. .N.J...
> 784129020B20A2911177  xA).. ...w
> 7F67B95111119BF27A68  .g.Q....zh
> 7D0A6B2325C2DF2BF7CA  }.k#%..+..
> A0416D1FEB31A1914548  .Am..1..EH
> A8BA1C64C2514C229406  ...d.QL"..
> 03B9DF9777E44444456F  ....w.DDEo
> FEABBF52405628969A27  ...R@V(..'
> 9F4834C27844734FEAC8  .H4.xDsO..
> 1583CAD6AE4005016316  .....@..c.
> 1001BF6D867FD1E23E98  ...m....>.
> 8208208A28A282082213  .. .(...".
> 57EC98B55AFBA3D5ECF9  W...Z.....
> 7B0F9610B8542670E623  {....T&p.#
> 5525D6174E256B096702  U%..N%k.g.
> 414104A2A34100AA8E67  AA...A...g
> B5AD4A2C96F7658B507F  ..J,..e.P.
> C80BBF93D4B7F71B80A8  ..........
> 4E393CAFB0586302FAEB  N9<..Xc...
> C8D514BE1BAB0A056A9A  ........j.
> F4522851D0B340CCEB15  .R(Q..@...
> 9CB2474FEC04882D9CB3  ..GO...-..
> 4F69728949810414888B  Oir.I.....
> DE99F72888CCDF5F5759  ...(..._WY
> 6863434FD1E61186C02E  hcCO......
> 15D798B911508A0367B8  .....P..g.
> 1CFAF3BB729001450422  ....r..E."
> 0ADEC9E5227D4FB6B885  ...."}O...
> 28C2512A41AA920F4424  (.Q*A...D$
> 8BF7EF2BF4CCD6B25073  ...+....Ps
> 9AA64B9C191C94B10542  ..K......B
> 46480C04A286D9E2D23A  FH.......:
> 7432B6C1061888AE3EF7  t2......>.
> A41712DA78B0E4F1E400  ....x.....
> A0001C26EC7ECA9E1684  ...&.~....
> 2419562DD8A85BEA4D01  $.V-..[.M.
> 6BE2BEF70A60CE46BF6B  k....`.F.k
> 70F750C255153390C312  p.P.U.3...
> E18D258C45F1F9F2761D  ..%.E...v.
> DE4CE828A44059D23AC6  .L.(.@Y.:.
> CC7FE8D0A3D9F57F3200  ........2.
> 1EB57542A0225001E67D  ..uB."P..}
> 9CBC9E9B7B6312C2F0CC  ....{c....
> 960A05A03534864C68DF  ....54.Lh.
> 2AFA1DEDAE73A370AC56  *....s.p.V
> A6297AF366EC3DA4180C  .)z.f.=...
> 221A67FF80001035386A  ".g....58j
> 4CE50F2A327F9B9082F1  L..*2.....
> 5EFB055082D5F4B2EC11  ^..P......
> BA25DBAC17D676D2016E  .%....v..n
> F7C9A5BCD3FFE2379607  .......7..
> B9F67A4A2F280A84082A  ..zJ/(...*
> 04501B35F151A877226B  .P.5.Q.w"k
>
> DATA
> --------
> ..@|.+....vL...4...\/Zf.~t2...$(8.);.....P.K....O}.....0i.S&
> L%L..Z.....\!.b..Yy...2..V....IT41I].PdQR....kp...((...`.j&.
> 4..JF....h..,J.....d0^\......=...g..0~.r....."-C.......s....
> \..=....f..2.$.._...;M..L.y......*W....od....6141D...._.5...
> .../....#^..q.......O....b0p.a.."%.E..#x.2).T..Df(L.PkZ.L...
> .......i;... .N.J...xA).. ...w.g.Q....zh}.k#%..+...Am..1..EH
> ...d.QL"......w.DDEo...R@V(..'.H4.xDsO.......@..c....m....>.
> .. .(...".W...Z.....{....T&p.#U%..N%k.g.AA...A...g..J,..e.P.
> ..........N9<..Xc...........j..R(Q.. ()      GO   -  Oir.I.....
> ...(..._WYhcCO...........P..g.....r..E."...."}O...(.Q*A...D$
> ...+....Ps..K......BFH.......:t2......>.....x........&.~....
> $.V-..[.M.k....`.F.kp.P.U.3.....%.E...v..L.(.@Y.:.........2.
> ..uB."P..}....{c........54.Lh.*....s.p.V.)z.f.=...".g....58j
> L..*2.....^..P.......%....v..n.......7....zJ/(...*.P.5.Q.w"k
>   

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users