[Snort-sigs] rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow
matt at ...2436...
Wed Jul 21 08:00:21 EDT 2004
Joseph Gama wrote:
> #(create packets-DOS, tunneling, etc)
> #(read packets-sniffer, etc)
> #(all purpose, Trojan, RAT, etc)
> #(ShellCode, RAT)
> #(DOS, ping)
> #local network(net send, enumerate)
I'm concerned about falses on these. Backups, program downloads,
executing programs across the network, etc, would likely trip a number
Have you been using them Joseph? How accurate are they? Anyone else
> alert tcp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"Invalid fragment+TCP flags"; dsize:0; ack:0;
> fragbits:!M; flags:!AP,12; window:2048;
> reference:arachnids,162; classtype:bad-unknown;
> sid:99999; rev:1;)
Question for the sourcefire folks, is this type of packet not detected
by existing means? And is flags the way to annotate it, or should it be
something new? I understand flags is obsoloted, but can't find
documentation on a better way. Or is that just flags for flow?
> alert tcp any any -> any any (msg:"Adobe Acrobat
> Reader XFDF possible buffer overflow";
> content:"application/vnd.adobe.xfdf"; reference: url,
> classtype:bad-unknown; sid:99999; rev:1;)
And not to shoot down everything you did Joseph, :) this is going to be
chuck full of falses. The filetype is legitmate, there's nothing to
differentiuate this from a false. And I know I hot these files quite a
bit (and are all legitimate). Is there something we can add to it to
identofy a malicious hit?
Thanks for the work Joseph.
More information about the Snort-sigs