[Snort-sigs] SMTP MS Windows Mail UNC navigation remote command execution 11837

Russell Fulton r.fulton at ...575...
Tue Sep 25 19:17:29 EDT 2007


We are seeing quite a lot of FPs on this sig.  Below is a packet capture
of the vital bit (5 packets into the exchange).  I've highlighted the
text that triggered the sig.

Russell.


META 	
SID 	CID 	TimeStamp 	Signature 	Sig ID
6 	9469554 	2007-09-25 11:09:14 	tag: Tagged Packet 	1
<http://www.snort.org/snort-db/sid.html?sid=1>

Sensor Hostname 	Sensor Interface
monitor-dmzo.isec.auckland.ac.nz 	dmz sensor

IP 	
Source Address 	Dest Address 	Ver 	Hdr Len 	TOS 	length 	ID 	flags
offset 	TTL 	chksum
74.62.160.117 	130.216.190.11 	4 	5 	0 	1492 	23837 	2 	0 	111 	32111

Resolved Source 	Resolved Dest
rrcs-74-62-160-117.west.biz.rr.com 	groucho.itss.auckland.ac.nz

TCP 	
Source Port 	Dest Port 	Seq 	Ack 	Offset 	Reserved 	Flags 	Window
Checksum 	Urgent Ptr
4765 	25 	2783113946 	1034969517 	5 	0 	16 	65300 	3205 	0

Options
None

Flags

RB 1 	RB 0 	URG 	ACK 	PSH 	RST 	SYN 	FIN

	
	
	X 	
	
	
	

------------------------------------------------------------------------
DATA 	

: 28px;.color: #1E02FE;.font-weight: bold;.text-decoration: 
underline;.background-repeat: no-repeat;}.style7 {.font-size
: 24px;.font-family: Arial, Helvetica, sans-serif;}.text {.f
ont-family: Arial, Helvetica, sans-serif;.font-size: 16px;.c
olor: #000000;.padding-left: 15px;.padding-right: 15px;.padd
ing-top: 20px;.padding-bottom: 10px;.line-height: 25px;}.sty
le8 {.font-size: 20px;.color: #FFFFFF;}.style10 {.font-famil
y: Arial, Helvetica, sans-serif;.font-size: 24px;.color: #FF
FFFF;.padding-left: 20px;.padding-right: 15px;.padding-top: 
20px;.padding-bottom: ..20px;.text-decoration: underline;.fo
nt-weight: bold;}.style13 {.font-size: 12px;.padding-left: 4
px;}.style15 {.font-size: 12px;.font-weight: bold;.border: 1
px none #E6E6E6;}.style17 {font-size: 14px; font-weight: bol
d; color: #FF0000; }.style22 {.font-size: 14px;.font-weight:
 bold;.color: #1E02FE;}.line {.font-family: Arial, Helvetica
, sans-serif;.font-size: 14px;.color: #1E02FE;.border: 1px n
one #E6E6E6;}.style27 {color: #FFFFFF}.style28 {color: #1E02
FE}.style29 {.font-size: 18px;.color: #FF0000;}.description 
{.font-family: "Arial", "Helvetica", "sans-serif";.font-size
: 12px;.color: #000000;}.style31 {color: #1E02FE; font-size:
 14px;}.style32 {color: #FF0000}.style33 {color: #1E02FE; bo
rder: 1px none #E6E6E6; font-size: 14px;}--></style><BASE *hr
ef='file://C:\Documents and Settings\winston\My Documents\'*>
</HEAD><body><table width="756" border="0" align="center" ce
llpadding="0


      





More information about the Snort-sigs mailing list