[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Possible 16295 FP
From: rmkml <rmkml () yahoo ! fr>
Date: 2010-10-25 19:24:56
Message-ID: alpine.LFD.2.00.1010252124370.2474 () lenovo ! localdomain
[Download RAW message or body]
Hi James,
Your packet dump not contains MSCF word, could you send another FP but contains MSCF \
to the list please? What snort version you use please? because Will have found a bug \
with file_data on snort v290. rev 2 is already last version.
Regards
Rmkml
On Mon, 25 Oct 2010, Lay, James wrote:
>
> Rule:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Kaspersky \
> antivirus library heap buffer overflow - without optional fields"; \
> flow:to_client,established; file_data; content:"MSCF"; \
> byte_test:2,&,0x0003,26,relative,little; byte_test:2,!&,0x0004,26,relative,little; \
> pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, \
> service http; reference:bugtraq,14998; reference:cve,2005-3142; \
> classtype:attempted-user; sid:16295; rev:2;)
>
>
> Rule hit:
>
> 10/25-10:42:14.031398 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap \
> buffer overflow - without optional fields [**] [Classification: Attempted User \
> Privilege Gain] [Priority: 1] {TCP} 209.85.225.99:80 -> 66.193.105.132:49789
>
>
> Packet dump:
>
> 10:46:32.724354 IP 209.85.225.99.80 > 66.193.105.132.49879: Flags [.], ack \
> 1945071829, win 25728, length 1400
> 0x0000: 4500 05a0 da3b 0000 3906 431e d155 e163 E....;..9.C..U.c
>
> 0x0010: 42c1 6984 0050 c2d7 a6eb 4fff 73ef 70d5 B.i..P....O.s.p.
>
> 0x0020: 5010 6480 11b8 0000 2229 2c22 2622 2c62 P.d....."),"&",b
>
> 0x0030: 2c22 3d22 2c63 5d2e 6a6f 696e 2822 2229 ,"=",c].join("")
>
> 0x0040: 7d66 756e 6374 696f 6e20 7128 612c 6229 }function.q(a,b)
>
> 0x0050: 7b62 3d6e 6577 2052 6567 4578 7028 225b {b=new.RegExp("[
>
> 0x0060: 3f26 5d22 2b62 2b22 3d5b 5e26 5d2a 222c ?&]"+b+"=[^&]*",
>
> 0x0070: 2267 6922 293b 613d 612e 7265 706c 6163 "gi");a=a.replac
>
> 0x0080: 6528 622c 2222 293b 7265 7475 726e 2061 e(b,"");return.a
>
> 0x0090: 3d61 2e72 6570 6c61 6365 282f 5e28 5b5e =a.replace(/^([^
>
> 0x00a0: 3f26 5d2a 2926 282e 2a29 2f2c 2224 313f ?&]*)&(.*)/,"$1?
>
> 0x00b0: 2432 2229 7d0a 6675 6e63 7469 6f6e 2075 $2")}.function.u
>
> 0x00c0: 2861 2c62 297b 6966 2821 6129 7265 7475 (a,b){if(!a)retu
>
> 0x00d0: 726e 2062 3b72 6574 7572 6e28 6e65 7720 rn.b;return(new.
>
> 0x00e0: 5265 6745 7870 2822 282c 7c5e 2922 2b62 RegExp("(,|^)"+b
>
> 0x00f0: 2b22 282c 7c24 2922 2929 2e74 6573 7428 +"(,|$)")).test(
>
> 0x0100: 6129 3f61 3a62 2b22 2c22 2b61 7d66 756e a)?a:b+","+a}fun
>
> 0x0110: 6374 696f 6e20 7028 612c 6229 7b66 6f72 ction.p(a,b){for
>
> 0x0120: 2876 6172 2063 3d2f 5b3f 265d 696d 6774 (var.c=/[?&]imgt
>
> 0x0130: 7970 653d 285b 5e26 5d2a 292f 672c 643d ype=([^&]*)/g,d=
>
> 0x0140: 6e75 6c6c 2c65 3d22 223b 643d 632e 6578 null,e="";d=c.ex
>
> 0x0150: 6563 2861 293b 2965 3d64 5b31 5d3b 7265 ec(a);)e=d[1];re
>
> 0x0160: 7475 726e 2074 2861 2c22 696d 6774 7970 turn.t(a,"imgtyp
>
> 0x0170: 6522 2c75 2865 2c62 2929 7d66 756e 6374 e",u(e,b))}funct
>
> 0x0180: 696f 6e20 7628 297b 7661 7220 613d 6c6f ion.v(){var.a=lo
>
> 0x0190: 6361 7469 6f6e 2e68 6173 683b 6966 2861 cation.hash;if(a
>
> 0x01a0: 2626 612e 696e 6465 784f 6628 2273 7461 &&a.indexOf("sta
>
> 0x01b0: 7274 2229 3e2d 3129 7b76 6172 2062 3d77 rt")>-1){var.b=w
>
> 0x01c0: 696e 646f 772e 6479 6e2e 7365 7452 6573 indow.dyn.setRes
>
> 0x01d0: 756c 7473 3b77 696e 646f 772e 6479 6e2e ults;window.dyn.
>
> 0x01e0: 7365 7452 6573 756c 7473 3d66 756e 6374 setResults=funct
>
> 0x01f0: 696f 6e28 297b 7769 6e64 6f77 2e64 796e ion(){window.dyn
>
> 0x0200: 2e73 6574 5265 7375 6c74 733d 627d 7d7d .setResults=b}}}
>
> 0x0210: 7628 293b 0a7d 2920 2829 3b64 796e 2e69 v();.}).();dyn.i
>
> 0x0220: 6e69 7469 616c 697a 6528 275c 7832 3670 nitialize('\x26p
>
> 0x0230: 7265 765c 7833 642f 696d 6167 6573 2533 rev\x3d/images%3
>
> 0x0240: 4671 2533 4470 6f6e 6465 726f 7361 2532 Fq%3Dponderosa%2
>
> 0x0250: 426c 6162 7325 3236 686c 2533 4465 6e25 Blabs%26hl%3Den%
>
> 0x0260: 3236 6762 7625 3344 3225 3236 7462 7325 26gbv%3D2%26tbs%
>
> 0x0270: 3344 6973 6368 3a31 272c 302c 3029 3b64 3Disch:1',0,0);d
>
> 0x0280: 796e 2e73 6574 5265 7375 6c74 7328 5b5b yn.setResults([[
>
> 0x0290: 222f 696d 6772 6573 3f69 6d67 7572 6c5c "/imgres?imgurl\
>
> 0x02a0: 7833 6468 7474 703a 2f2f 7472 6565 732e x3dhttp://trees.
>
> 0x02b0: 7374 616e 666f 7264 2e65 6475 2f69 6d61 stanford.edu/ima
>
> 0x02c0: 6765 732f 5069 6e61 6365 6165 2f70 6f6e ges/Pinaceae/pon
>
> 0x02d0: 6465 726f 7361 2e6a 7067 5c78 3236 696d derosa.jpg\x26im
>
> 0x02e0: 6772 6566 7572 6c5c 7833 6468 7474 703a grefurl\x3dhttp:
>
> 0x02f0: 2f2f 7363 6965 6e63 6562 6c6f 6773 2e63 //scienceblogs.c
>
> 0x0300: 6f6d 2f63 6861 6f74 6963 7574 6f70 6961 om/chaoticutopia
>
> 0x0310: 2f32 3030 382f 3032 2f77 6861 745f 6d61 /2008/02/what_ma
>
> 0x0320: 6b65 735f 7468 655f 7069 6e65 735f 6772 kes_the_pines_gr
>
> 0x0330: 6f77 5f70 6172 742e 7068 705c 7832 3675 ow_part.php\x26u
>
> 0x0340: 7367 5c78 3364 5f5f 5a47 5767 7556 516a sg\x3d__ZGWguVQj
>
> 0x0350: 7848 744a 3453 4149 6853 7a47 304a 4a74 xHtJ4SAIhSzG0JJt
>
> 0x0360: 4d69 735c 7833 645c 7832 3668 5c78 3364 Mis\x3d\x26h\x3d
>
> 0x0370: 3638 305c 7832 3677 5c78 3364 3439 365c 680\x26w\x3d496\
>
> 0x0380: 7832 3673 7a5c 7833 6439 375c 7832 3668 x26sz\x3d97\x26h
>
> 0x0390: 6c5c 7833 6465 6e5c 7832 3673 7461 7274 l\x3den\x26start
>
> 0x03a0: 5c78 3364 315c 7832 367a 6f6f 6d5c 7833 \x3d1\x26zoom\x3
>
> 0x03b0: 6431 5c78 3236 6974 6273 5c78 3364 3122 d1\x26itbs\x3d1"
>
> 0x03c0: 2c22 222c 224e 7364 672d 6139 7a38 7741 ,"","Nsdg-a9z8wA
>
> 0x03d0: 4c54 4d3a 222c 2268 7474 703a 2f2f 7472 LTM:","http://tr
>
> 0x03e0: 6565 732e 7374 616e 666f 7264 2e65 6475 ees.stanford.edu
>
> 0x03f0: 2f69 6d61 6765 732f 5069 6e61 6365 6165 /images/Pinaceae
>
> 0x0400: 2f70 6f6e 6465 726f 7361 2e6a 7067 222c /ponderosa.jpg",
>
> 0x0410: 2231 3031 222c 2231 3339 222c 2253 6f2c "101","139","So,
>
> 0x0420: 205c 7833 6362 5c78 3365 706f 6e64 6572 .\x3cb\x3eponder
>
> 0x0430: 6f73 615c 7833 632f 625c 7833 6520 7069 osa\x3c/b\x3e.pi
>
> 0x0440: 6e65 7320 6d61 7920 6265 222c 2222 2c22 nes.may.be","","
>
> 0x0450: 222c 2234 3936 2026 7469 6d65 733b 2036 ","496.×.6
>
> 0x0460: 3830 202d 2039 376b 222c 226a 7067 222c 80.-.97k","jpg",
>
> 0x0470: 2273 6369 656e 6365 626c 6f67 732e 636f "scienceblogs.co
>
> 0x0480: 6d22 2c22 222c 2222 2c22 6874 7470 3a2f m","","","http:/
>
> 0x0490: 2f74 302e 6773 7461 7469 632e 636f 6d2f /t0.gstatic.com/
>
> 0x04a0: 696d 6167 6573 222c 2231 222c 5b5d 2c22 images","1",[],"
>
> 0x04b0: 222c 302c 2222 2c5b 5d2c 2222 2c22 222c ",0,"",[],"","",
>
> 0x04c0: 2222 2c22 222c 2222 2c22 222c 2222 2c22 "","","","","","
>
> 0x04d0: 222c 2222 5d2c 5b22 2f69 6d67 7265 733f ",""],["/imgres?
>
> 0x04e0: 696d 6775 726c 5c78 3364 6874 7470 3a2f imgurl\x3dhttp:/
>
> 0x04f0: 2f62 6579 6572 7265 6e65 7761 626c 6566 /beyerrenewablef
>
> 0x0500: 7565 6c73 2e63 6f6d 2f6d 696e 6572 616c uels.com/mineral
>
> 0x0510: 2532 3532 306c 6162 7325 3235 3230 7465 %2520labs%2520te
>
> 0x0520: 7374 2532 3532 3067 7265 656e 7761 7374 st%2520greenwast
>
> 0x0530: 6525 3235 3230 706f 6c79 2532 3532 0d0a e%2520poly%252..
>
> 0x0540: 3130 3030 0d0a 3067 6c79 6365 726f 6c2e 1000..0glycerol.
>
> 0x0550: 6a70 675c 7832 3669 6d67 7265 6675 726c jpg\x26imgrefurl
>
> 0x0560: 5c78 3364 6874 7470 3a2f 2f62 6579 6572 \x3dhttp://beyer
>
> 0x0570: 7265 6e65 7761 626c 6566 7565 6c73 2e63 renewablefuels.c
>
> 0x0580: 6f6d 2f4d 6169 6e25 3235 3230 5465 7374 om/Main%2520Test
>
> 0x0590: 2532 3532 3050 6167 652e 6874 6d5c 7832 %2520Page.htm\x2
>
>
>
> Looks like more google happiness.
>
>
>
> James Lay
>
> IT Security Analyst
>
> WinCo Foods
>
> 208-672-2014 Office
>
> 208-559-1855 Cell
>
> 650 N Armstrong Pl.
>
> Boise, Idaho 83704
>
>
>
>
>
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic