[Snort-sigs] SID: 8440

Nigel Houghton nigel at ...435...
Tue Apr 24 12:17:38 EDT 2007


On  0, Paul Schmehl <pauls at ...1311...> wrote:
> --On Monday, April 23, 2007 16:45:18 -0500 Paul Schmehl 
> <pauls at ...1311...> wrote:
 
> Continuing our discussion from yesterday :-), here's another payload from a 
> packet that tripped SID: 8440.
> 
> 17 03 01 03 70 B9 5D 7D FD EB DF ED 04 C3 CC A2
> 70 9C 04 2D 8A 32 FF A7 24 6A D4 85 8D 8D 6A E4
> 
> We obviously have a rule match on greater than 256 bytes, but my question 
> is, what do the fields in the header mean?  What are bytes 6 & 7 referring 
> to?  What does byte 1, byte 2, etc. refer to?  Does anyone know where I can 
> find a packet header field description that is similar to the one in the 
> training manual on page 552?  (The RPC header description.)
> 
> I'm trying to understand *why* what appear to be legitimate users checking 
> email is tripping this alert.  Is it badly configured clients?  Unpatched 
> clients?  Badly designed clients that ignore the protocol?
> 
> The bottom line is, why are our users' email clients routinely trying to 
> overflow a buffer?

ok, here is what an SSL hello packet structure looks like:

Starting at byte 0 in the payload data...

Bytes 0 and 1 == packet length
Byte  2 == Message type
Bytes 3 and 4 == SSL version
Bytes 5 and 6 == cipher spec length
Bytes 7 and 8 == session ID
Bytes 9 and 10 == challenge length
next bunch of bytes are the cipher specs (the number of these can vary)
last bunch of bytes is the challenge

Some packet captures for full sessions would be great if you can send
some along, it would help with my current project :D

Details about what is in use would also be helpful.

-- 
Nigel Houghton
Office Linebacker
SF VRT




More information about the Snort-sigs mailing list