[Snort-sigs] lots of FPs (?) for BLEEDING-EDGE EXPLOIT Windows Media Player

M. Shirk shirkdog_list at ...12...
Mon Feb 20 20:30:16 EST 2006


Added a depth of 400 to avoid false positives, and updated the message..

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of 
image (MS06-005)"; flow:established,from_server; content:"|424D|"; 
byte_test: 4,=,0,8,relative; depth:400; 
reference:url,www.milw0rm.com/id.php?id=1500; 
reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; 
classtype:attempted-user; sid:2002802; rev:3; )

Shirkdog
http://www.shirkdog.us




>From: Russell Fulton <r.fulton at ...575...>
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] lots of FPs (?) for BLEEDING-EDGE EXPLOIT Windows 
>Media Player parsing 0 size BMP file Vuln (MS06-005),Sig ID,2002802
>Date: Sun, 19 Feb 2006 16:09:47 +1300
>
>I'm seeing lots of hits on this rule from all over the net.  Either
>there is a successful worm that I have not heard about (;) or we have
>some false +ves.
>
>As always I'm happy to supply more packet captures to researchers.
>
>Russell
>
>META
>--------
>SID	CID	TimeStamp		Signature
>6	8175125	2006-02-19 14:53:11	BLEEDING-EDGE EXPLOIT Windows Media Player
>parsing 0 size BMP file Vuln (MS06-005)
>Sig ID
>2002802
>
>Sensor Hostname				Sensor Interface
>hihi.insec.auckland.ac.nz	new dmz sensor
>
>IP
>--------
>Source Address	Dest Address	Ver	Hdr Len
>38.116.139.254	130.216.191.183	4	5
>TOS	length	ID	flags	offset	TTL	chksum
>0	1500	37867	2	0	51	47406
>
>Resolved Source
>Could Not Resolve
>Resolved Dest
>gate1.ec.auckland.ac.nz
>
>TCP
>--------
>Source Port	Dest Port	Seq		Ack
>80		59092		3465964190	2050439349
>Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
>5	0		16	6432	64992		0
>
>Options
>--------
>None
>
>
>Flags
>--------
>RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
>			X
>
>DATA
>--------
>7E470000404758014247	~G.. at ...3201...
>FE424C4748015C47FF01	.BLGH.\G..
>76478000784700005247	vG..xG..RG
>67005647140054473C00	g.VG..TG<.
>6C478B0070471E006E47	lG..pG..nG
>4600584700009E475000	F.XG...GP.
>9C47C8008C4700008E47	.G...G...G
>01008A47FE4290470100	...G.B.G..
>92470100944700009647	.G...G...G
>0000984792089A470000	...G...G..
>FA470D13F03F53544A00	.G...?STJ.
>A446DF09A6460993A846	.F...F...F
>2A89AA468E01AC464500	*..F...FE.
>F8476C00AE466400B046	.Gl..Fd..F
>0000B646CE09B8462796	...F...F'.
>BA460452F44710E1F647	.F.R.G...G
>0200B2461102B4460100	...F...F..
>B0440000B2440000F03F	.D...D...?
>4145CA003C4540001445	AE..<E at ...3202...
>3801EA4644012845C600	8..FD.(E..
>2C453801244500041045	,E8.$E...E
>DA031245DA032045E101	...E.. E..
>3645E1012245D0013A45	6E.."E..:E
>01003B45010026451400	..;E..&E..
>C04600002A45C000C859	.F..*E...Y
>0003C6597C012E450000	...Y|..E..
>30450000324500004045	0E..2E.. at ...3203...
>00004145000042450000	..AE..BE..
>CE590000D0590000D259	.Y...Y...Y
>0000434500003E450100	..CE..>E..
>1C456E004445D700224A	.En.DE.."J
>2A01C0590000C1590100	*..Y...Y..
>E8468825CC460000D446	.F.%.F...F
>0000CE460000D0460000	...F...F..
>D646000050580000DA46	.F..PX...F
>0000C5590000EF460100	...Y...F..
>D4590100D6598B28D859	.Y...Y.(.Y
>132DDA597325EE460000	.-.Ys%.F..
>F03F57420E0100442C02	.?WB...D,.
>024412015C4408010444	.D..\D...D
>6F01064413011245DA03	o..D...E..
>1A445E005E44FF005F44	.D^.^D.._D
>080012442F011444F600	...D/..D..
>1644880118441501CC44	.D...D...D
>2801CE44DC01D044A501	(..D...D..
>D2441001DC44F801DE44	.D...D...D
>0E01B4440000B6440000	...D...D..
>30445C0038447E003244	0D\.8D~.2D
>68003A4481003444E9FF	h.:D..4D..
>3C44190036441A003E44	<D..6D..>D
>6E004C446A014E441601	n.LDj.ND..
>C0446F01C2441301EA44	.Do..D...D
>00008045A6008245B500	...E...E..
>83458B00844500008645	.E...E...E
>00008745000088450000	...E...E..
>8A4500008B4500008C45	.E...E...E
>00008E459D008F458100	...E...E..
>90450000924500009345	.E...E...E
>00005244E3005444F500	..RD..TD..
>5644F5005844F500D444	VD..XD...D
>0201D644F500D8440201	...D...D..
>DA44F500D45D0000F044	.D...]...D
>0000F2440000F4440000	...D...D..
>F6440000F8440000FA44	.D...D...D
>0000FC440000FE440000	...D...D..
>F03F59436600CC455000	.?YCf..EP.
>60450300624500006445	`E..bE..dE
>08006645080068450C00	..fE..hE..
>6A4508006C4507006E45	jE..lE..nE
>06007045020072450100	..pE..rE..
>74450000764507007845	tE..vE..xE
>07007A4507007C450700	..zE..|E..
>D0450100D2452000D445	.E...E ..E
>2000D6452000F0450300	 ..E ..E..
>F2450300F4450000CE45	.E...E...E
>0000F03F434D0A00FC45	...?CM...E
>00F0F03F49531E009446	...?IS...F
>71039646EC039846D503	q..F...F..
>9A46E503604609026246	.F..`F..bF
>FA010000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000004145	........AE
>424D0000000000000000	BM........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>00000000000000000000	..........
>50525354260AF50A2F0B	PRST&.../.
>4D0B410B670A590A630A	M.A.g.Y.c.
>9E0B3D0B430BD709F00A	..=.C.....
>780BAF0BF80B850B860A	x.........
>B90A180B780CB70CBD0C	....x.....
>7F0B980B5D0CAB0C580D	....]...X.
>3A0DC30CE70CE30CBD0C	:.........
>4E0DDA0C100C5C0CC30C	N.....\...
>FF0CE009810DA80D940A	..........
>DA076D08F00B340BA508	..m...4...
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/





More information about the Snort-sigs mailing list