[Snort-sigs] SID: 8440

Paul Schmehl pauls at ...1311...
Mon Apr 23 17:45:18 EDT 2007


--On Monday, April 23, 2007 17:25:39 -0400 Nigel Houghton 
<nigel at ...435...> wrote:

> On  0, Paul Schmehl <pauls at ...1311...> wrote:
>> Can someone help me understand what this rule is looking for?
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl
>> get  shared ciphers overflow attempt"; flow:to_server,established;
>> flowbits:isnotset,sslv3.server_hello.request;
>> flowbits:isnotset,sslv2.client_hello.request;
>> flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|";
>> depth:2;  offset:2; byte_test:2, >, 256, 1, relative;
>> reference:bugtraq,20249;  reference:cve,2006-3738;
>> reference:url,www.openssl.org/news/secadv_20060928.txt;
>> classtype:attempted-admin; sid:8440; rev:2; )
>>
>> Here's the relevant bits of the payload:
>> 17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
>> 18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
>>
>> As I understand it, the packet must have |01 03| at a depth of 2 bytes.
>> Then, at an offset of two bytes from that a byte_test of the next 2
>> bytes  should not exceed 256.  So that would mean that D6+67 is greater
>> than 256?
>
> The rule is looking for a content of 01 03 at an offset of 2 bytes from
> the start of the packet data with a depth of 2 bytes (01 03 is two
> bytes). Then it looks at the two bytes following at a distance of 1 byte
> from the previous content match to see if the value is greater than 256,
> if it is then alert because it may be an attempt to overflow a buffer by
> sending too much data.
>
OK, I muffed that horribly.  :-(

At an offset of two bytes, for a depth of two bytes, the content should be 
|01 03|, right?

Now where the heck is the byte_test?  The next two bytes?  In that case it 
would be |00 BE|, which is not >256, so that can't be right.

Now I'm thoroughly confused.

I appreciate you pointing to the RFC, but as I said, I don't read geek. 
Where can I find something that says something like this:
The first two byes define the version of ssl being used: here are the 
possibilities.  The next two bytes define X, and here are the possible 
values.  Etc., etc., etc.

Someone needs to translate the RFCs into English.

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070423/7d36fc0a/attachment.bin>


More information about the Snort-sigs mailing list