[Snort-sigs] help with 2 rules

Matt Jonkman matt at ...2436...
Wed Mar 2 13:46:32 EST 2005


True, we lack ref's and documention on a lot of rules. :) We're working 
on that, and upcoming changes may help us there.

BoFH wrote:
>>   alert  tcp  any  $HTTP_PORTS  ->  $HOME_NET  any  (msg: "BLEEDING-EDGE
>>   Exploit   ATmaCA   PoC   for   CORE-2004-0819   --   bad  PNG";  flow:
>>   to_client,established;  content:  "|8950 4e47 0d0a 1a0a 0000 000d 4948
>>   4452|"; byte_test: 4,>,256,17,relative;  content: "tRNS"; distance: 4;
>>   classtype:misc-attack; sid:2001723; rev:2;)
> 
> 
> Well, it looks like something to do with a CORE Technologies public
> exploit for the recent png vulnerability in Microsoft Messenger. But
> that is a guess based on the message. I think you might be better off
> with sid 2673 from the official rule set.

This was for that png exploit. And yes, the snort.org rule detects it 
much more reliably. I think we'll drop this sig from bleeding since 
snort.org does it better.

Matt




More information about the Snort-sigs mailing list