[Snort-sigs] Windows Messenger/MSN Messenger

Matt Jonkman mjonkman at ...2436...
Mon Feb 21 07:04:21 EST 2005


We've got a few others up on bleeding snort as well. Erik Fichtner did a 
few up on the bleeding-sigs mailing list. They appear to be stable, no 
falses yet.

I'll out these up and we'll all give them a test and see.

Matt

Jaramillo, Paul D [CC] wrote:
> I've been reviewing the new signatures for the PNG Buffer Overflow 
> Vulnerbility(MS05-009), I'm not sure that these would even work. From 
> the testing that I've done today every capture is wrapped in Microsoft's 
> messaging protocol and generates False Negatives when a PNG image is 
> displayed or transferred. Any thoughts?
> 
> Snort Signatures: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"WEB-CLIENT libpng tRNS overflow attempt"; 
> flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; 
> content:"IHDR"; distance:4; within:4; content:"tRNS"; distance:0; 
> byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; 
> reference:cve,2004-0597; reference:bugtraq,10872; 
> classtype:attempted-admin; sid:2673; rev:2;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
> libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; 
> content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; 
> flow:established,to_client; classtype:attempted-admin; 
> reference:cve,CAN-2004-0597; sid:2001058; rev:2;)
> 
> Snort Signatures: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"libPNG - Remotely exploitable stack-based bufferoverrun in 
> png_handle_tRNS"; 
> pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S])\x03/Ri"; content:"tRNS"; 
> byte_jump:4, -8, relative, big; pcre:"/([\s\S])/R"; 
> pcre:"/([a-zA-Z])[A-Z][a-zA-Z]/R"; 
> reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; 
> classtype:misc-activity; sid:2000000; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 
> libpng tRNS overflow attempt"; flow:to_client,established; 
> content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; distance:4; within:4; 
> content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; 
> pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:cve,2004-0597; 
> reference:bugtraq,10872; classtype:attempted-admin; sid:2673; rev:2;)
> 
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"libpng tRNS overflow 
> attempt"; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; 
> content:"tRNS"; byte_test:4,>,256,-8,relative,big; 
> flow:established,to_client; classtype:attempted-admin; 
> reference:cve,CAN-2004-0597; sid:1000117; rev:2;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
> libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; 
> content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; 
> flow:established,to_client; classtype:attempted-admin; 
> reference:cve,CAN-2004-0597; sid:2001058; rev:2;)
> 
> Thx
> 
> *Paul D. Jaramillo*
> Security Event Management
> Sprint Corporate Security
> 913-315-8036
> 





More information about the Snort-sigs mailing list