[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Help
From: Alex McDonnell <amcdonnell () sourcefire ! com>
Date: 2020-04-07 15:23:24
Message-ID: CAK6Z=_U1eO2S2rX4HWdNBGENXyOKAx2PFNQjLEo=bRhuutqyLA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
If you're looking for examples of how this can be blocked, there are
several existing rules in the Talos Snort Ruleset that alert
19013
2337
45612
(648 just detects the shellcode and 518 just detects that this is a tftp
write)
==========================================================
Alerts:
==========================================================
tftp-wrq-filename-overflow.pcap
1:19013:9 PROTOCOL-TFTP HP Intelligent Management Center
TFTP server MODE remote code execution attempt - WRQ
1:2337:23 PROTOCOL-TFTP PUT filename overflow attempt
1:648:18 INDICATOR-SHELLCODE x86 NOOP
1:518:16 PROTOCOL-TFTP Put
1:45612:2 PROTOCOL-TFTP WRITE long filename attempt
==========================================================
On Wed, Apr 1, 2020 at 12:34 PM Rohit Khosla via Snort-sigs <
snort-sigs@lists.snort.org> wrote:
> Please unsucribe.
>
> On Wed, Apr 1, 2020 at 5:03 PM <snort-sigs-request@lists.snort.org> wrote:
>
>> Send Snort-sigs mailing list submissions to
>> snort-sigs@lists.snort.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.snort.org/mailman/listinfo/snort-sigs
>> or, via email, send a message with subject or body 'help' to
>> snort-sigs-request@lists.snort.org
>>
>> You can reach the person managing the list at
>> snort-sigs-owner@lists.snort.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-sigs digest..."
>>
>>
>> Today's Topics:
>>
>> 1. (no subject) (Boroboro Yokotero)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 01 Apr 2020 01:24:49 +0300
>> From: Boroboro Yokotero <yokotero@yandex.ru>
>> To: "snort-sigs@lists.snort.org" <snort-sigs@lists.snort.org>
>> Subject: [Snort-sigs] (no subject)
>> Message-ID: <8306271585693391@iva8-bad53723c646.qloud-c.yandex.net>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> An HTML attachment was scrubbed...
>> URL: <
>> https://lists.snort.org/pipermail/snort-sigs/attachments/20200401/a6bb0894/attachment-0001.htm
>> >
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs@lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-sigs
>> http://www.snort.org
>>
>> Please follow these rules:
>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>> ------------------------------
>>
>> End of Snort-sigs Digest, Vol 35, Issue 1
>> *****************************************
>>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>If you're looking for examples of how this can be blocked, \
there are several existing rules in the Talos Snort Ruleset that alert \
</div><div>19013</div><div>2337</div><div>45612</div><div><br></div><div>(648 just \
detects the shellcode and 518 just detects that this is a tftp \
write)</div><div><br></div>==========================================================<br>Alerts:<br>==========================================================<br> \
tftp-wrq-filename-overflow.pcap<br> 1:19013:9 PROTOCOL-TFTP HP \
Intelligent Management Center TFTP server MODE remote code execution attempt - \
WRQ<br> 1:2337:23 PROTOCOL-TFTP PUT filename overflow \
attempt<br> 1:648:18 INDICATOR-SHELLCODE x86 NOOP<br> \
1:518:16 PROTOCOL-TFTP Put<br> 1:45612:2 PROTOCOL-TFTP WRITE \
long filename attempt<br>==========================================================<br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 1, 2020 at 12:34 PM \
Rohit Khosla via Snort-sigs <<a \
href="mailto:snort-sigs@lists.snort.org">snort-sigs@lists.snort.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr">Please unsucribe.<br></div><br><div class="gmail_quote"><div \
class="gmail_attr" dir="ltr">On Wed, Apr 1, 2020 at 5:03 PM <<a \
href="mailto:snort-sigs-request@lists.snort.org" \
target="_blank">snort-sigs-request@lists.snort.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">Send Snort-sigs \
mailing list submissions to<br>
<a href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a><br> <br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.snort.org/mailman/listinfo/snort-sigs" \
rel="noreferrer" target="_blank">https://lists.snort.org/mailman/listinfo/snort-sigs</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:snort-sigs-request@lists.snort.org" \
target="_blank">snort-sigs-request@lists.snort.org</a><br> <br>
You can reach the person managing the list at<br>
<a href="mailto:snort-sigs-owner@lists.snort.org" \
target="_blank">snort-sigs-owner@lists.snort.org</a><br> <br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Snort-sigs digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. (no subject) (Boroboro Yokotero)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 01 Apr 2020 01:24:49 +0300<br>
From: Boroboro Yokotero <<a href="mailto:yokotero@yandex.ru" \
target="_blank">yokotero@yandex.ru</a>><br>
To: "<a href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a>" <<a \
href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a>><br>
Subject: [Snort-sigs] (no subject)<br>
Message-ID: <<a href="mailto:8306271585693391@iva8-bad53723c646.qloud-c.yandex.net" \
target="_blank">8306271585693391@iva8-bad53723c646.qloud-c.yandex.net</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.snort.org/pipermail/snort-sigs/attachments/20200401/a6bb0894/attachment-0001.htm" \
rel="noreferrer" target="_blank">https://lists.snort.org/pipermail/snort-sigs/attachments/20200401/a6bb0894/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org" \
target="_blank">Snort-sigs@lists.snort.org</a><br> <a \
href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" \
target="_blank">https://lists.snort.org/mailman/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org" rel="noreferrer" \
target="_blank">http://www.snort.org</a><br> <br>
Please follow these rules: <a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" \
target="_blank">https://snort.org/faq/what-is-the-mailing-list-etiquette</a><br> <br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> <br>
<br>
------------------------------<br>
<br>
End of Snort-sigs Digest, Vol 35, Issue 1<br>
*****************************************<br>
</blockquote></div></div>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org" \
target="_blank">Snort-sigs@lists.snort.org</a><br> <a \
href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" \
target="_blank">https://lists.snort.org/mailman/listinfo/snort-sigs</a><br> <br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> <br>
Please follow these rules: <a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" \
target="_blank">https://snort.org/faq/what-is-the-mailing-list-etiquette</a><br> <br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" <a \
href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" \
target="_blank">https://snort.org/downloads/#rule-downloads</a>">emerging \
threats</a>!<br> </blockquote></div>
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic