[Snort-sigs] help with 2 rules
BoFH at ...2981...
Wed Mar 2 13:23:10 EST 2005
On 0, "Rowland, Krisa W ERDC-ITL-MS Contractor" <Krisa.W.Rowland at ...2112...> scribed:
> I used to find links to the vulnerabilities in the sigs? Can you help me under
> stand these two alerts?
Well, I think you just came across a small problem with using bleeding
edge sigs. Documentation and references. It may be that while sigs are
being developed and tuned, that reference info may not be included. A
bit of googling is required.
> I believe this one is a chat alert?
No, it's meant to detect a nickname change in an irc session that is
taking place over non-standard IRC ports. Personally, I wouldn't care
about a nick change, only that a potential IRC session was happening on
non-irc ports but whatever.
Incidentally, this does not necessarily indicate trojan activity, but
you could probably assign a better classtype for yourself.
> alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - N
> ick change on non-std port"; content:"NICK "; offset:0; depth:5; nocase; dsize:
> <64; flow:to_server,established; tag:session,300,seconds; classtype:trojan-acti
> vity; sid:2000345; rev:3;)
> I have no idea what this exploit is for??
> alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE
> Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow:
> to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948
> 4452|"; byte_test: 4,>,256,17,relative; content: "tRNS"; distance: 4;
> classtype:misc-attack; sid:2001723; rev:2;)
Well, it looks like something to do with a CORE Technologies public
exploit for the recent png vulnerability in Microsoft Messenger. But
that is a guess based on the message. I think you might be better off
with sid 2673 from the official rule set.
> Krisa Rowland
Mailer-daemon is busy burning your message in hell
More information about the Snort-sigs