[Snort-sigs] FP on 3677 (SIP UDP Cseq overflow)

Jeff Kell jeff-kell at ...922...
Tue Jun 7 06:58:27 EDT 2005


I suspect the sig may be off-by-one (perhaps?) in it's checking, or else this was tailored specifically to trigger on packets that would trip Ethereal (but are otherwise valid SIP):

Rule:  EXPLOIT SIP UDP CSeq overflow attempt
--
Sid:  3677
--
Detailed Information:
   content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16;
--
False Positives:  triggered by packets such as this:

REGISTER sip:172.17.100.228 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.102:5060;rport;branch=z9hG4bK5BDD50FEB26C4C33ABD1D1414D753778
From: Theresa <sip:7177 at ...3084...>;tag=1875065834
To: Theresa <sip:7177 at ...3084...>
Contact: "Theresa" <sip:7177 at ...3085...:5060>
Call-ID: EF3C3821E5124AC9AEB770CF5B36E14F at ...3084...
CSeq: 37264 REGISTER
Expires: 1800
Max-Forwards: 70
User-Agent: X-Lite release 1103m
Content-Length: 0
--
Corrective Action:
Is the last "within: 16" a byte too large? (haven't checked the protocol refs).  The 0x0A would fall in the 16th position...

Jeff





More information about the Snort-sigs mailing list