[Snort-sigs] snort rule 2329

Ekblad, Eric M EkblEM at ...2314...
Tue Mar 16 06:28:03 EST 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 
 
Rule:  
MS-SQL probe response overflow attempt
--
Sid:
2329
--
Summary:
Not sure if matching all criteria in rule body
--
Impact:
False +
--
Detailed Information:
Failing (I believe):
        byte_test:2,>,512,1;          <cannot find 2 octets higher than
81 83 next to each other ; am I reading this right?> 
        isdataat:512                      <If isdataat in BYTES, this
packet only has 88 bytes>
--
Affected Systems:
Win 2k
--
Attack Scenarios:
 
--
Ease of Attack:
 
--
False Positives:
 
--
False Negatives:
 
--
Corrective Action:
Don't know if I'm reading byte_test right or not, don't know how it
could work.
--
Contributors:
 
-- 
Additional References:
 
 
 
THIS WAS MY TRIP:
 
Generated by ACID v0.9.6b23 on Mon, 15 Mar 2004 13:49:10 -0600
 
------------------------------------------------------------------------
------
#(5 - 1893) [2004-03-15 13:16:26] url[bugtraq/9407] [cve/can-2003-0903]
[icat/can-2003-0903] [snort/2329]  MS-SQL probe response overflow
attempt
IPv4: 161.99.5.167 -> 149.178.200.203
      hlen=5 TOS=40 dlen=164 ID=61414 flags=0 offset=0 TTL=56
chksum=36018
UDP:  port=53 -> dport: 1123 len=144
Payload:  length = 136
 
000 : 05 3B 81 83 00 01 00 00 00 01 00 00 05 5F 6C 64   .;..........._ld
010 : 61 70 04 5F 74 63 70 03 54 4F 52 06 5F 73 69 74   ap._tcp.TOR._sit
020 : 65 73 02 64 63 06 5F 6D 73 64 63 73 0B 42 50 31   es.dc._msdcs.BP1
030 : 54 4F 52 49 53 30 30 31 00 00 21 00 01 00 00 06   TORIS001..!.....
040 : 00 01 00 00 12 49 00 40 01 41 0C 52 4F 4F 54 2D   .....I. at ...2315...
050 : 53 45 52 56 45 52 53 03 4E 45 54 00 05 4E 53 54   SERVERS.NET..NST
060 : 4C 44 0C 56 45 52 49 53 49 47 4E 2D 47 52 53 03   LD.VERISIGN-GRS.
070 : 43 4F 4D 00 77 73 18 0C 00 00 07 08 00 00 03 84   COM.ws..........
080 : 00 09 3A 80 00 01 51 80                           ..:...Q.
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040316/13eb378f/attachment.html>


More information about the Snort-sigs mailing list