[Snort-sigs] SID: 8440

Paul Schmehl pauls at ...1311...
Tue Apr 24 17:06:46 EDT 2007


--On Tuesday, April 24, 2007 12:17:38 -0400 Nigel Houghton 
<nigel at ...435...> wrote:

> On  0, Paul Schmehl <pauls at ...1311...> wrote:
>> --On Monday, April 23, 2007 16:45:18 -0500 Paul Schmehl
>> <pauls at ...1311...> wrote:
>
>> Continuing our discussion from yesterday :-), here's another payload
>> from a  packet that tripped SID: 8440.
>>
>> 17 03 01 03 70 B9 5D 7D FD EB DF ED 04 C3 CC A2
>> 70 9C 04 2D 8A 32 FF A7 24 6A D4 85 8D 8D 6A E4
>>
>> We obviously have a rule match on greater than 256 bytes, but my
>> question  is, what do the fields in the header mean?  What are bytes 6 &
>> 7 referring  to?  What does byte 1, byte 2, etc. refer to?  Does anyone
>> know where I can  find a packet header field description that is similar
>> to the one in the  training manual on page 552?  (The RPC header
>> description.)
>>
>> I'm trying to understand *why* what appear to be legitimate users
>> checking  email is tripping this alert.  Is it badly configured clients?
>> Unpatched  clients?  Badly designed clients that ignore the protocol?
>>
>> The bottom line is, why are our users' email clients routinely trying to
>> overflow a buffer?
>
> ok, here is what an SSL hello packet structure looks like:
>
> Starting at byte 0 in the payload data...
>
> Bytes 0 and 1 == packet length
> Byte  2 == Message type
> Bytes 3 and 4 == SSL version
> Bytes 5 and 6 == cipher spec length
> Bytes 7 and 8 == session ID
> Bytes 9 and 10 == challenge length
> next bunch of bytes are the cipher specs (the number of these can vary)
> last bunch of bytes is the challenge
>
> Some packet captures for full sessions would be great if you can send
> some along, it would help with my current project :D
>
> Details about what is in use would also be helpful.

OK.  Now we're getting somewhere.  So, using the packet info I posted (17 
03 01 03 70 B9 5D 7D FD EB DF ED 04 C3 CC A2), the packet length would be 
|17 03|, message type would be |01|, SSL version would be |03 70|, and 
cipher spec length would be |B9 5D|, right?

When you refer to the cipher spec length, are you referring to this (pasted 
below) on page 30, section A.2 of the appendices to the SSL spec as posted 
at the Netscape site?

struct {
    enum { change_cipher_spec(1), (255) } type;
} ChangeCipherSpec

In order to send you packet captures, I first need to identify the hosts 
and applications that are triggering these alerts.  That might take some 
time.

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070424/c63eb03c/attachment.bin>


More information about the Snort-sigs mailing list