[Snort-sigs] SID: 8440

Paul Schmehl pauls at ...1311...
Mon Apr 23 17:05:58 EDT 2007


Can someone help me understand what this rule is looking for?

alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl get 
shared ciphers overflow attempt"; flow:to_server,established; 
flowbits:isnotset,sslv3.server_hello.request; 
flowbits:isnotset,sslv2.client_hello.request; 
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; 
offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; 
reference:cve,2006-3738; 
reference:url,www.openssl.org/news/secadv_20060928.txt; 
classtype:attempted-admin; sid:8440; rev:2; )

Here's the relevant bits of the payload:
17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F

As I understand it, the packet must have |01 03| at a depth of 2 bytes. 
Then, at an offset of two bytes from that a byte_test of the next 2 bytes 
should not exceed 256.  So that would mean that D6+67 is greater than 256?

Is there a spec somewhere that describes what the header fields refer to? 
I'm getting tons of these alerts on what appears to be normal traffic, and 
I'd like to know exactly what's going on?  RFC 4346 isn't much help.  I 
don't read geek.

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070423/f35fc4e3/attachment.bin>


More information about the Snort-sigs mailing list