[Snort-sigs] help with 2 rules

BoFH BoFH at ...2981...
Wed Mar 2 13:23:10 EST 2005

On  0, "Rowland, Krisa W ERDC-ITL-MS Contractor" <Krisa.W.Rowland at ...2112...> scribed:
> I used to find links to the vulnerabilities in the sigs?  Can you help me under
> stand these two alerts?  

Well, I think you just came across a small problem with using bleeding
edge sigs. Documentation and references. It may be that while sigs are
being developed and tuned, that reference info may not be included. A
bit of googling is required.

> I believe this one is a chat alert?

No, it's meant to detect a nickname change in an irc session that is
taking place over non-standard IRC ports. Personally, I wouldn't care
about a nick change, only that a potential IRC session was happening on
non-irc ports but whatever.

Incidentally, this does not necessarily indicate trojan activity, but
you could probably assign a better classtype for yourself.

> alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - N
> ick change on non-std port"; content:"NICK "; offset:0; depth:5; nocase; dsize:
> <64; flow:to_server,established; tag:session,300,seconds; classtype:trojan-acti
> vity; sid:2000345; rev:3;)
>    I have no idea what this exploit is for??
>    alert  tcp  any  $HTTP_PORTS  ->  $HOME_NET  any  (msg: "BLEEDING-EDGE
>    Exploit   ATmaCA   PoC   for   CORE-2004-0819   --   bad  PNG";  flow:
>    to_client,established;  content:  "|8950 4e47 0d0a 1a0a 0000 000d 4948
>    4452|"; byte_test: 4,>,256,17,relative;  content: "tRNS"; distance: 4;
>    classtype:misc-attack; sid:2001723; rev:2;)

Well, it looks like something to do with a CORE Technologies public
exploit for the recent png vulnerability in Microsoft Messenger. But
that is a guess based on the message. I think you might be better off
with sid 2673 from the official rule set.

>    Krisa Rowland


excuse #446:
Mailer-daemon is busy burning your message in hell

More information about the Snort-sigs mailing list