Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bad range 3038303030303030

From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 24 May 2012 09:54:49 -0400
Here is the version of these rules which is available in the current
subscriber pack, which fixes the problem:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"4E087DEB"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21902; rev:3;)
akirk@sf:~/cvs/sfeng/research/rules/snort-rules$ grep -hi sid:2190[3-6] *
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"8B8DDA58"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21903; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"0036D8F4"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21904; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"B13CC16A"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21905; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"8E7EE1E6"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21906; rev:3;)

Looking at the revision history on these, the problem was corrected on
April 26 in subscriber packs, so registered users should have the fix
automatically by May 26 per the standard 30-day lag. That said, since this
is on us, we want to make sure that everyone has access to a fix, so here
it is.

On Thu, May 24, 2012 at 9:23 AM, Weir, Jason <jason.weir () nhrs org> wrote:


Looks like a problem with the following rules… 21902-21906****

** **

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"8B8DDA58"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service http,
service imap, service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21902; rev:1;)****

** **

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"0036D8F4"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service http,
service imap, service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21903; rev:1;)****

** **

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"B13CC16A"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service http,
service imap, service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21904; rev:1;)****

** **

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"8E7EE1E6"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service http,
service imap, service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21905; rev:1;)****

** **

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"A3E81207"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service http,
service imap, service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21906; rev:1;)****

** **

-J****

** **

*From:* costin [mailto:costinvilcu () yahoo com]
*Sent:* Thursday, May 24, 2012 5:16 AM
*To:* snort-sigs () lists sourceforge net
*Subject:* [Snort-sigs] bad range 3038303030303030****

** **

Hi, ****

i am running 2.9.1.2 version of Snort, and i just applied the vrt for
registered users (the one from 4/24/2012).****

After restarting snort, i got the folowing messages:****

 ****

"****

Starting Snort on interface eth6...
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
"****

 ****

I got the same messages for every interfaces i was running snort on.****

 ****

Does anyone have more info about these messages?****

 ****

Thanks,****

** **

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: