[Snort-sigs] SID: 8440

Paul Schmehl pauls at ...1311...
Tue Apr 24 11:24:29 EDT 2007


--On Monday, April 23, 2007 16:45:18 -0500 Paul Schmehl 
<pauls at ...1311...> wrote:

> --On Monday, April 23, 2007 17:25:39 -0400 Nigel Houghton
> <nigel at ...435...> wrote:
>
>> On  0, Paul Schmehl <pauls at ...1311...> wrote:
>>> Can someone help me understand what this rule is looking for?
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl
>>> get  shared ciphers overflow attempt"; flow:to_server,established;
>>> flowbits:isnotset,sslv3.server_hello.request;
>>> flowbits:isnotset,sslv2.client_hello.request;
>>> flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|";
>>> depth:2;  offset:2; byte_test:2, >, 256, 1, relative;
>>> reference:bugtraq,20249;  reference:cve,2006-3738;
>>> reference:url,www.openssl.org/news/secadv_20060928.txt;
>>> classtype:attempted-admin; sid:8440; rev:2; )
>>>
>>> Here's the relevant bits of the payload:
>>> 17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
>>> 18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
>>>
Continuing our discussion from yesterday :-), here's another payload from a 
packet that tripped SID: 8440.

17 03 01 03 70 B9 5D 7D FD EB DF ED 04 C3 CC A2
70 9C 04 2D 8A 32 FF A7 24 6A D4 85 8D 8D 6A E4

We obviously have a rule match on greater than 256 bytes, but my question 
is, what do the fields in the header mean?  What are bytes 6 & 7 referring 
to?  What does byte 1, byte 2, etc. refer to?  Does anyone know where I can 
find a packet header field description that is similar to the one in the 
training manual on page 552?  (The RPC header description.)

I'm trying to understand *why* what appear to be legitimate users checking 
email is tripping this alert.  Is it badly configured clients?  Unpatched 
clients?  Badly designed clients that ignore the protocol?

The bottom line is, why are our users' email clients routinely trying to 
overflow a buffer?

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070424/f92782a0/attachment.bin>


More information about the Snort-sigs mailing list