[Snort-sigs] SID: 8440

Nigel Houghton nigel at ...435...
Mon Apr 23 17:27:48 EDT 2007


On  0, Nigel Houghton <nigel at ...435...> wrote:
> On  0, Paul Schmehl <pauls at ...1311...> wrote:
> > Can someone help me understand what this rule is looking for?
> > 
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl get 
> > shared ciphers overflow attempt"; flow:to_server,established; 
> > flowbits:isnotset,sslv3.server_hello.request; 
> > flowbits:isnotset,sslv2.client_hello.request; 
> > flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; 
> > offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; 
> > reference:cve,2006-3738; 
> > reference:url,www.openssl.org/news/secadv_20060928.txt; 
> > classtype:attempted-admin; sid:8440; rev:2; )
> > 
> > Here's the relevant bits of the payload:
> > 17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
> > 18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
> > 
> > As I understand it, the packet must have |01 03| at a depth of 2 bytes. 
> > Then, at an offset of two bytes from that a byte_test of the next 2 bytes 
> > should not exceed 256.  So that would mean that D6+67 is greater than 256?

I missed a key word in this next paragraph, it is "starting", check the
snort manual for where it goes :)

> The rule is looking for a content of 01 03 at an offset of 2 bytes from
> the start of the packet data with a depth of 2 bytes (01 03 is two
> bytes). Then it looks at the two bytes following at a distance of 1 byte
> from the previous content match to see if the value is greater than 256,
> if it is then alert because it may be an attempt to overflow a buffer by
> sending too much data.

Taking a drink now.

-- 
Nigel Houghton
Office Linebacker
SF VRT




More information about the Snort-sigs mailing list