[Snort-sigs] help with 2 rules

Schott, Erik J Mr ANOSC/FCBS erik.schott-FCBS at ...3012...
Wed Mar 2 13:17:20 EST 2005


Hi Krisa.  You are correct.  The first alert IS a chat alert, as per
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/bleeding-attack_response.ru
les?rev=1.3
<http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/bleeding-attack_response.r
ules?rev=1.3> .  
 
And the second is a MSN Messenger PNG Image Buffer Overflow Download
Shellcoded Exploit as per
http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-February/000023.
html
<http://lists.bleedingsnort.com/pipermail/bleeding-sigs/2005-February/000023
.html> .

-----Original Message-----
From: Rowland, Krisa W ERDC-ITL-MS Contractor
[mailto:Krisa.W.Rowland at ...2112...]
Sent: Wednesday, March 02, 2005 2:07 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] help with 2 rules


I used to find links to the vulnerabilities in the sigs?  Can you help me
understand these two alerts?  
 
I believe this one is a chat alert?
 
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC
- Nick change on non-std port"; content:"NICK "; offset:0; depth:5; nocase;
dsize:<64; flow:to_server,established; tag:session,300,seconds;
classtype:trojan-activity; sid:2000345; rev:3;)

 

 

I have no idea what this exploit is for??

 

alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit
ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established;
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:
4,>,256,17,relative;  content: "tRNS"; distance: 4; classtype:misc-attack;
sid:2001723; rev:2;)

 

Krisa Rowland

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050302/382260b0/attachment.html>


More information about the Snort-sigs mailing list