[Snort-sigs] FP for WEB-CLIENT winamp .cda file name overflow attempt Sig ID 3088

Russell Fulton r.fulton at ...575...
Fri Feb 18 18:56:09 EST 2005


I'm seeing quite a few of these:


META
--------
SID     CID     TimeStamp               Signature
3       840221  2005-02-18 16:02:53     WEB-CLIENT winamp .cda file name overflow attempt
Sig ID
3088

Sensor Hostname                         Sensor Interface
hihi.itss       eth1

IP
--------
Source Address  Dest Address    Ver     Hdr Len
64.12.180.19    130.216.28.1    4       5
TOS     length  ID      flags   offset  TTL     chksum
0       1420    37074   2       0       233     26784

Resolved Source
main-v3.netscape.com

Resolved Dest
eduf-link.eduf.auckland.ac.nz 

TCP
--------
Source Port     Dest Port       Seq             Ack             
80              19297           279622877       1076353437
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               16      34500   50815           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X                                       

DATA
--------
57696E31360A3C4F5054    Win16.<OPT
494F4E2056414C55453D    ION VALUE=
2757696E32303030273E    'Win2000'>
57696E323030300A3C4F    Win2000.<O
5054494F4E2056414C55    PTION VALU
453D2757696E332E3127    E='Win3.1'
3E57696E332E310A3C4F    >Win3.1.<O
5054494F4E2056414C55    PTION VALU
453D2757696E3935273E    E='Win95'>
57696E39350A3C4F5054    Win95.<OPT
494F4E2056414C55453D    ION VALUE=
2757696E3938273E5769    'Win98'>Wi
6E39380A3C4F5054494F    n98.<OPTIO
4E2056414C55453D2757    N VALUE='W
696E4D45273E57696E4D    inME'>WinM
450A3C4F5054494F4E20    E.<OPTION 
56414C55453D2757696E    VALUE='Win
4E54273E57696E4E540A    NT'>WinNT.
3C4F5054494F4E205641    <OPTION VA
4C55453D2757696E5850    LUE='WinXP
273E57696E58500A3C2F    '>WinXP.</
53454C4543543E3C2F46    SELECT></F
4F4E543E0A3C42523E0A    ONT>.<BR>.
3C464F4E5420434F4C4F    <FONT COLO
523D2330303030303020    R=#000000 
464143453D2773616E73    FACE='sans
2D73657269662C204172    -serif, Ar
69616C2C2048656C7665    ial, Helve
74696361272053495A45    tica' SIZE
3D313E200A3C53454C45    =1> .<SELE
4354204E414D453D2753    CT NAME='S
5550504F525445445F46    UPPORTED_F
494C455F455854454E53    ILE_EXTENS
494F4E53273E0A3C4F50    IONS'>.<OP
54494F4E2056414C5545    TION VALUE
3D27616C6C457874656E    ='allExten
73696F6E273E416C6C20    sion'>All 
46696C6520657874656E    File exten
73696F6E730A3C4F5054    sions.<OPT
494F4E2056414C55453D    ION VALUE=
272E303031273E2E3030    '.001'>.00
310A3C4F5054494F4E20    1.<OPTION 
56414C55453D272E3132    VALUE='.12
33273E2E3132330A3C4F    3'>.123.<O
5054494F4E2056414C55    PTION VALU
453D272E363639273E2E    E='.669'>.
3636390A3C4F5054494F    669.<OPTIO
4E2056414C55453D272E    N VALUE='.
43474D273E2E43474D0A    CGM'>.CGM.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E52617227    LUE='.Rar'
3E2E5261720A3C4F5054    >.Rar.<OPT
494F4E2056414C55453D    ION VALUE=
272E61616D273E2E6161    '.aam'>.aa
6D0A3C4F5054494F4E20    m.<OPTION 
56414C55453D272E6163    VALUE='.ac
65273E2E6163650A3C4F    e'>.ace.<O
5054494F4E2056414C55    PTION VALU
453D272E616570273E2E    E='.aep'>.
6165700A3C4F5054494F    aep.<OPTIO
4E2056414C55453D272E    N VALUE='.
61666C273E2E61666C0A    afl'>.afl.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E61696627    LUE='.aif'
3E2E6169660A3C4F5054    >.aif.<OPT
494F4E2056414C55453D    ION VALUE=
272E61696663273E2E61    '.aifc'>.a
6966630A3C4F5054494F    ifc.<OPTIO
4E2056414C55453D272E    N VALUE='.
61696666273E2E616966    aiff'>.aif
660A3C4F5054494F4E20    f.<OPTION 
56414C55453D272E6172    VALUE='.ar
6A273E2E61726A0A3C4F    j'>.arj.<O
5054494F4E2056414C55    PTION VALU
453D272E6173273E2E61    E='.as'>.a
730A3C4F5054494F4E20    s.<OPTION 
56414C55453D272E6173    VALUE='.as
66273E2E6173660A3C4F    f'>.asf.<O
5054494F4E2056414C55    PTION VALU
453D272E617370273E2E    E='.asp'>.
6173700A3C4F5054494F    asp.<OPTIO
4E2056414C55453D272E    N VALUE='.
617378273E2E6173780A    asx'>.asx.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E6175273E    LUE='.au'>
2E61750A3C4F5054494F    .au.<OPTIO
4E2056414C55453D272E    N VALUE='.
617669273E2E6176690A    avi'>.avi.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E61767827    LUE='.avx'
3E2E6176780A3C4F5054    >.avx.<OPT
494F4E2056414C55453D    ION VALUE=
272E617873273E2E6178    '.axs'>.ax
730A3C4F5054494F4E20    s.<OPTION 
56414C55453D272E6262    VALUE='.bb
7A273E2E62627A0A3C4F    z'>.bbz.<O
5054494F4E2056414C55    PTION VALU
453D272E626D70273E2E    E='.bmp'>.
626D700A3C4F5054494F    bmp.<OPTIO
4E2056414C55453D272E    N VALUE='.
627A6970273E2E627A69    bzip'>.bzi
700A3C4F5054494F4E20    p.<OPTION 
56414C55453D272E6334    VALUE='.c4
273E2E63340A3C4F5054    '>.c4.<OPT
494F4E2056414C55453D    ION VALUE=
272E63616C273E2E6361    '.cal'>.ca
6C0A3C4F5054494F4E20    l.<OPTION 
56414C55453D272E6361    VALUE='.ca
6C73273E2E63616C730A    ls'>.cals.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E63637627    LUE='.ccv'
3E2E6363760A3C4F5054    >.ccv.<OPT
494F4E2056414C55453D    ION VALUE=
272E636461273E2E6364    '.cda'>.cd
610A3C4F5054494F4E20    a.<OPTION 
56414C55453D272E6364    VALUE='.cd
72273E2E6364720A3C4F    r'>.cdr.<O
5054494F4E2056414C55    PTION VALU
453D272E636477273E2E    E='.cdw'>.
6364770A3C4F5054494F    cdw.<OPTIO
4E2056414C55453D272E    N VALUE='.
636478273E2E6364780A    cdx'>.cdx.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E6364786D    LUE='.cdxm
6C273E2E6364786D6C0A    l'>.cdxml.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E63666D27    LUE='.cfm'
3E2E63666D0A3C4F5054    >.cfm.<OPT
494F4E2056414C55453D    ION VALUE=
272E63676D273E2E6367    '.cgm'>.cg
6D0A3C4F5054494F4E20    m.<OPTION 
56414C55453D272E6368    VALUE='.ch
6D273E2E63686D0A3C4F    m'>.chm.<O
5054494F4E2056414C55    PTION VALU
453D272E636966273E2E    E='.cif'>.
6369660A3C4F5054494F    cif.<OPTIO
4E2056414C55453D272E    N VALUE='.
636974273E2E6369740A    cit'>.cit.

DATA
--------
Win16.<OPTION VALUE='Win2000'>Win2000.<OPTION VALUE='Win3.1'
>Win3.1.<OPTION VALUE='Win95'>Win95.<OPTION VALUE='Win98'>Wi
n98.<OPTION VALUE='WinME'>WinME.<OPTION VALUE='WinNT'>WinNT.
<OPTION VALUE='WinXP'>WinXP.</SELECT></FONT>.<BR>.<FONT COLO
R=#000000 FACE='sans-serif, Arial, Helvetica' SIZE=1> .<SELE
CT NAME='SUPPORTED_FILE_EXTENSIONS'>.<OPTION VALUE='allExten
sion'>All File extensions.<OPTION VALUE='.001'>.001.<OPTION 
VALUE='.123'>.123.<OPTION VALUE='.669'>.669.<OPTION VALUE='.
CGM'>.CGM.<OPTION VALUE='.Rar'>.Rar.<OPTION VALUE='.aam'>.aa
m.<OPTION VALUE='.ace'>.ace.<OPTION VALUE='.aep'>.aep.<OPTIO
N VALUE='.afl'>.afl.<OPTION VALUE='.aif'>.aif.<OPTION VALUE=
'.aifc'>.aifc.<OPTION VALUE='.aiff'>.aiff.<OPTION VALUE='.ar
j'>.arj.<OPTION VALUE='.as'>.as.<OPTION VALUE='.asf'>.asf.<O
PTION VALUE='.asp'>.asp.<OPTION VALUE='.asx'>.asx.<OPTION VA
LUE='.au'>.au.<OPTION VALUE='.avi'>.avi.<OPTION VALUE='.avx'
>.avx.<OPTION VALUE='.axs'>.axs.<OPTION VALUE='.bbz'>.bbz.<O
PTION VALUE='.bmp'>.bmp.<OPTION VALUE='.bzip'>.bzip.<OPTION 
VALUE='.c4'>.c4.<OPTION VALUE='.cal'>.cal.<OPTION VALUE='.ca
ls'>.cals.<OPTION VALUE='.ccv'>.ccv.<OPTION VALUE='.cda'>.cd
a.<OPTION VALUE='.cdr'>.cdr.<OPTION VALUE='.cdw'>.cdw.<OPTIO
N VALUE='.cdx'>.cdx.<OPTION VALUE='.cdxml'>.cdxml.<OPTION VA
LUE='.cfm'>.cfm.<OPTION VALUE='.cgm'>.cgm.<OPTION VALUE='.ch
m'>.chm.<OPTION VALUE='.cif'>.cif.<OPTION VALUE='.cit'>.cit.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050218/2eb55460/attachment.bin>


More information about the Snort-sigs mailing list