[Snort-sigs] SID: 8440
pauls at ...1311...
Mon Apr 23 17:05:58 EDT 2007
Can someone help me understand what this rule is looking for?
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl get
shared ciphers overflow attempt"; flow:to_server,established;
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2;
offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249;
classtype:attempted-admin; sid:8440; rev:2; )
Here's the relevant bits of the payload:
17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
As I understand it, the packet must have |01 03| at a depth of 2 bytes.
Then, at an offset of two bytes from that a byte_test of the next 2 bytes
should not exceed 256. So that would mean that D6+67 is greater than 256?
Is there a spec somewhere that describes what the header fields refer to?
I'm getting tons of these alerts on what appears to be normal traffic, and
I'd like to know exactly what's going on? RFC 4346 isn't much help. I
don't read geek.
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 3701 bytes
Desc: not available
More information about the Snort-sigs