[Snort-sigs] lots of FPs (?) for BLEEDING-EDGE EXPLOIT Windows Media Player parsing 0 size BMP file Vuln (MS06-005),Sig ID,2002802

Russell Fulton r.fulton at ...575...
Sat Feb 18 19:10:01 EST 2006


I'm seeing lots of hits on this rule from all over the net.  Either
there is a successful worm that I have not heard about (;) or we have
some false +ves.

As always I'm happy to supply more packet captures to researchers.

Russell

META
--------
SID	CID	TimeStamp		Signature
6	8175125	2006-02-19 14:53:11	BLEEDING-EDGE EXPLOIT Windows Media Player
parsing 0 size BMP file Vuln (MS06-005)
Sig ID
2002802

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
38.116.139.254	130.216.191.183	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	1500	37867	2	0	51	47406

Resolved Source
Could Not Resolve
Resolved Dest
gate1.ec.auckland.ac.nz

TCP
--------
Source Port	Dest Port	Seq		Ack		
80		59092		3465964190	2050439349
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
5	0		16	6432	64992		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X					

DATA
--------
7E470000404758014247	~G.. at ...3201...
FE424C4748015C47FF01	.BLGH.\G..
76478000784700005247	vG..xG..RG
67005647140054473C00	g.VG..TG<.
6C478B0070471E006E47	lG..pG..nG
4600584700009E475000	F.XG...GP.
9C47C8008C4700008E47	.G...G...G
01008A47FE4290470100	...G.B.G..
92470100944700009647	.G...G...G
0000984792089A470000	...G...G..
FA470D13F03F53544A00	.G...?STJ.
A446DF09A6460993A846	.F...F...F
2A89AA468E01AC464500	*..F...FE.
F8476C00AE466400B046	.Gl..Fd..F
0000B646CE09B8462796	...F...F'.
BA460452F44710E1F647	.F.R.G...G
0200B2461102B4460100	...F...F..
B0440000B2440000F03F	.D...D...?
4145CA003C4540001445	AE..<E at ...3202...
3801EA4644012845C600	8..FD.(E..
2C453801244500041045	,E8.$E...E
DA031245DA032045E101	...E.. E..
3645E1012245D0013A45	6E.."E..:E
01003B45010026451400	..;E..&E..
C04600002A45C000C859	.F..*E...Y
0003C6597C012E450000	...Y|..E..
30450000324500004045	0E..2E.. at ...3203...
00004145000042450000	..AE..BE..
CE590000D0590000D259	.Y...Y...Y
0000434500003E450100	..CE..>E..
1C456E004445D700224A	.En.DE.."J
2A01C0590000C1590100	*..Y...Y..
E8468825CC460000D446	.F.%.F...F
0000CE460000D0460000	...F...F..
D646000050580000DA46	.F..PX...F
0000C5590000EF460100	...Y...F..
D4590100D6598B28D859	.Y...Y.(.Y
132DDA597325EE460000	.-.Ys%.F..
F03F57420E0100442C02	.?WB...D,.
024412015C4408010444	.D..\D...D
6F01064413011245DA03	o..D...E..
1A445E005E44FF005F44	.D^.^D.._D
080012442F011444F600	...D/..D..
1644880118441501CC44	.D...D...D
2801CE44DC01D044A501	(..D...D..
D2441001DC44F801DE44	.D...D...D
0E01B4440000B6440000	...D...D..
30445C0038447E003244	0D\.8D~.2D
68003A4481003444E9FF	h.:D..4D..
3C44190036441A003E44	<D..6D..>D
6E004C446A014E441601	n.LDj.ND..
C0446F01C2441301EA44	.Do..D...D
00008045A6008245B500	...E...E..
83458B00844500008645	.E...E...E
00008745000088450000	...E...E..
8A4500008B4500008C45	.E...E...E
00008E459D008F458100	...E...E..
90450000924500009345	.E...E...E
00005244E3005444F500	..RD..TD..
5644F5005844F500D444	VD..XD...D
0201D644F500D8440201	...D...D..
DA44F500D45D0000F044	.D...]...D
0000F2440000F4440000	...D...D..
F6440000F8440000FA44	.D...D...D
0000FC440000FE440000	...D...D..
F03F59436600CC455000	.?YCf..EP.
60450300624500006445	`E..bE..dE
08006645080068450C00	..fE..hE..
6A4508006C4507006E45	jE..lE..nE
06007045020072450100	..pE..rE..
74450000764507007845	tE..vE..xE
07007A4507007C450700	..zE..|E..
D0450100D2452000D445	.E...E ..E
2000D6452000F0450300	 ..E ..E..
F2450300F4450000CE45	.E...E...E
0000F03F434D0A00FC45	...?CM...E
00F0F03F49531E009446	...?IS...F
71039646EC039846D503	q..F...F..
9A46E503604609026246	.F..`F..bF
FA010000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000004145	........AE
424D0000000000000000	BM........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
00000000000000000000	..........
50525354260AF50A2F0B	PRST&.../.
4D0B410B670A590A630A	M.A.g.Y.c.
9E0B3D0B430BD709F00A	..=.C.....
780BAF0BF80B850B860A	x.........
B90A180B780CB70CBD0C	....x.....
7F0B980B5D0CAB0C580D	....]...X.
3A0DC30CE70CE30CBD0C	:.........
4E0DDA0C100C5C0CC30C	N.....\...
FF0CE009810DA80D940A	..........
DA076D08F00B340BA508	..m...4...





More information about the Snort-sigs mailing list