[Snort-sigs] SID: 8440

Nigel Houghton nigel at ...435...
Mon Apr 23 17:25:39 EDT 2007


On  0, Paul Schmehl <pauls at ...1311...> wrote:
> Can someone help me understand what this rule is looking for?
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl get 
> shared ciphers overflow attempt"; flow:to_server,established; 
> flowbits:isnotset,sslv3.server_hello.request; 
> flowbits:isnotset,sslv2.client_hello.request; 
> flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; 
> offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; 
> reference:cve,2006-3738; 
> reference:url,www.openssl.org/news/secadv_20060928.txt; 
> classtype:attempted-admin; sid:8440; rev:2; )
> 
> Here's the relevant bits of the payload:
> 17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
> 18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
> 
> As I understand it, the packet must have |01 03| at a depth of 2 bytes. 
> Then, at an offset of two bytes from that a byte_test of the next 2 bytes 
> should not exceed 256.  So that would mean that D6+67 is greater than 256?

The rule is looking for a content of 01 03 at an offset of 2 bytes from
the start of the packet data with a depth of 2 bytes (01 03 is two
bytes). Then it looks at the two bytes following at a distance of 1 byte
from the previous content match to see if the value is greater than 256,
if it is then alert because it may be an attempt to overflow a buffer by
sending too much data.

Also, the rule checks to make sure that an sslv3 server response, an sslv2
client request and a tlsv1 client request hasn't happened.

> Is there a spec somewhere that describes what the header fields refer to? 
> I'm getting tons of these alerts on what appears to be normal traffic, and 
> I'd like to know exactly what's going on?  RFC 4346 isn't much help.  I 
> don't read geek.

SSLv3 Spec:
 http://wp.netscape.com/eng/ssl3/

Snort Manual:
 offset:
   http://www.snort.org/docs/snort_htmanuals/htmanual_261/node186.html
 byte_test:
   http://www.snort.org/docs/snort_htmanuals/htmanual_261/node202.html

There is nothing better than the snort manual for explaining what the
rule options do.

-- 
Nigel Houghton
Office Linebacker
SF VRT




More information about the Snort-sigs mailing list