[Snort-sigs] help with 2 rules
matt at ...2436...
Wed Mar 2 13:46:32 EST 2005
True, we lack ref's and documention on a lot of rules. :) We're working
on that, and upcoming changes may help us there.
>> alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE
>> Exploit ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow:
>> to_client,established; content: "|8950 4e47 0d0a 1a0a 0000 000d 4948
>> 4452|"; byte_test: 4,>,256,17,relative; content: "tRNS"; distance: 4;
>> classtype:misc-attack; sid:2001723; rev:2;)
> Well, it looks like something to do with a CORE Technologies public
> exploit for the recent png vulnerability in Microsoft Messenger. But
> that is a guess based on the message. I think you might be better off
> with sid 2673 from the official rule set.
This was for that png exploit. And yes, the snort.org rule detects it
much more reliably. I think we'll drop this sig from bleeding since
snort.org does it better.
More information about the Snort-sigs