[Snort-sigs] rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow

Matthew Jonkman matt at ...2436...
Wed Jul 21 08:00:21 EDT 2004

Questions inline:

Joseph Gama wrote:

> #(create packets-DOS, tunneling, etc)
> #libnetnt.dll
> #libnet.dll
> #libdnet.dll
> #(read packets-sniffer, etc)
> #wpcap.dll
> #rpklib.dll
> #(all purpose, Trojan, RAT, etc)
> #socket.dll
> #ws2_32.dll
> #wsock32.dll
> #packet32.dll
> #packet.dll
> #iphlpapi.dll
> #wininet.dll
> #(ShellCode, RAT)
> #cmd.exe
> #\cmd.exe
> #explorer.exe
> #shell32.dll
> #(DOS, ping)
> #icmp.dll
> #local network(net send, enumerate)
> #netapi32.dll 

I'm concerned about falses on these. Backups, program downloads, 
executing programs across the network, etc, would likely trip a number 
of them.

Have you been using them Joseph? How accurate are they? Anyone else 
tried them?

> alert tcp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"Invalid fragment+TCP flags"; dsize:0; ack:0;
> fragbits:!M; flags:!AP,12; window:2048;
> reference:arachnids,162; classtype:bad-unknown;
> sid:99999; rev:1;)
Question for the sourcefire folks, is this type of packet not detected 
by existing means? And is flags the way to annotate it, or should it be 
something new? I understand flags is obsoloted, but can't find 
documentation on a better way. Or is that just flags for flow?

> alert tcp any any -> any any (msg:"Adobe Acrobat
> Reader XFDF possible buffer overflow";
> content:"application/vnd.adobe.xfdf"; reference: url,
> http.www.nextgenss.com/advisories/adobexfdf.txt;
> classtype:bad-unknown; sid:99999; rev:1;)
And not to shoot down everything you did Joseph, :)  this is going to be 
chuck full of falses. The filetype is legitmate, there's nothing to 
differentiuate this from a false. And I know I hot these files quite a 
bit (and are all legitimate). Is there something we can add to it to 
identofy a malicious hit?

Thanks for the work Joseph.


More information about the Snort-sigs mailing list