[Snort-sigs] SID: 8440
nigel at ...435...
Mon Apr 23 17:25:39 EDT 2007
On 0, Paul Schmehl <pauls at ...1311...> wrote:
> Can someone help me understand what this rule is looking for?
> alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl get
> shared ciphers overflow attempt"; flow:to_server,established;
> flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2;
> offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249;
> classtype:attempted-admin; sid:8440; rev:2; )
> Here's the relevant bits of the payload:
> 17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
> 18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
> As I understand it, the packet must have |01 03| at a depth of 2 bytes.
> Then, at an offset of two bytes from that a byte_test of the next 2 bytes
> should not exceed 256. So that would mean that D6+67 is greater than 256?
The rule is looking for a content of 01 03 at an offset of 2 bytes from
the start of the packet data with a depth of 2 bytes (01 03 is two
bytes). Then it looks at the two bytes following at a distance of 1 byte
from the previous content match to see if the value is greater than 256,
if it is then alert because it may be an attempt to overflow a buffer by
sending too much data.
Also, the rule checks to make sure that an sslv3 server response, an sslv2
client request and a tlsv1 client request hasn't happened.
> Is there a spec somewhere that describes what the header fields refer to?
> I'm getting tons of these alerts on what appears to be normal traffic, and
> I'd like to know exactly what's going on? RFC 4346 isn't much help. I
> don't read geek.
There is nothing better than the snort manual for explaining what the
rule options do.
More information about the Snort-sigs