[Snort-sigs] help with 2 rules

Matt Kettler mkettler at ...189...
Wed Mar 2 13:32:33 EST 2005


At 04:07 PM 3/2/2005, Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
>I have no idea what this exploit is for??
>
>alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit 
>ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; 
>content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test: 
>4,>,256,17,relative;  content: "tRNS"; distance: 4; classtype:misc-attack; 
>sid:2001723; rev:2;)

It's an MSN messenger exploit based on corrupted PNG files:

http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10

You can only tell because the left the core security advisory ID in the 
message part, but didn't include any references. It's one of the downsides 
of bleeding-edge.. not all the rules are as readable as they could be.. 
Still, better a rule that can be improved than no rule at all..








More information about the Snort-sigs mailing list