[Snort-sigs] SID 4135 rev 4 false positive?

Ben Creitz creitz at ...2420...
Wed Nov 26 22:08:20 EST 2008


On Wed, Nov 26, 2008 at 12:45 PM, Info <info at ...3194...> wrote:
> Have you inspected the actual raw data from the image?

>    http://www.homesdatabase.com/logos/LLE1.jpg

Not yet.

> Do you have a
> packet trace to correlate?

Here it is:

 length = 1440

000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.
010 : 0A 44 61 74 65 3A 20 57 65 64 2C 20 32 36 20 4E   .Date: Wed, 26 N
020 : 6F 76 20 32 30 30 38 20 30 36 3A 34 37 3A 32 34   ov 2008 06:47:24
030 : 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 63    GMT..Server: Ac
040 : 74 69 76 65 41 67 65 6E 74 2F 34 2E 30 0D 0A 4C   tiveAgent/4.0..L
050 : 61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 54 75   ast-Modified: Tu
060 : 65 2C 20 31 33 20 44 65 63 20 32 30 30 35 20 31   e, 13 Dec 2005 1
070 : 35 3A 35 34 3A 30 30 20 47 4D 54 0D 0A 45 54 61   5:54:00 GMT..ETa
080 : 67 3A 20 22 33 36 39 33 61 2D 31 66 34 66 2D 34   g: "3693a-1f4f-4
090 : 33 39 65 65 65 39 38 22 0D 0A 41 63 63 65 70 74   39eee98"..Accept
0a0 : 2D 52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A   -Ranges: bytes..
0b0 : 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20   Content-Length:
0c0 : 38 30 31 35 0D 0A 4B 65 65 70 2D 41 6C 69 76 65   8015..Keep-Alive
0d0 : 3A 20 74 69 6D 65 6F 75 74 3D 31 35 2C 20 6D 61   : timeout=15, ma
0e0 : 78 3D 31 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F   x=100..Connectio
0f0 : 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43   n: Keep-Alive..C
100 : 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 69 6D 61   ontent-Type: ima
110 : 67 65 2F 6A 70 65 67 0D 0A 0D 0A FF D8 FF E0 00   ge/jpeg.........
120 : 10 4A 46 49 46 00 01 02 01 00 48 00 48 00 00 FF   .JFIF.....H.H...
130 : ED 0D 2E 50 68 6F 74 6F 73 68 6F 70 20 33 2E 30   ...Photoshop 3.0
140 : 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 47 FB   .8BIM.........G.
150 : CD 00 01 00 01 00 47 FB CD 00 01 00 01 38 42 49   ......G......8BI
160 : 4D 04 0D 00 00 00 00 00 04 00 00 00 78 38 42 49   M...........x8BI
170 : 4D 04 19 00 00 00 00 00 04 00 00 00 1E 38 42 49   M............8BI
180 : 4D 03 F3 00 00 00 00 00 09 00 00 00 00 00 00 00   M...............
190 : 00 01 00 38 42 49 4D 04 0A 00 00 00 00 00 01 00   ...8BIM.........
1a0 : 00 38 42 49 4D 27 10 00 00 00 00 00 0A 00 01 00   .8BIM'..........
1b0 : 00 00 00 00 00 00 02 38 42 49 4D 03 F5 00 00 00   .......8BIM.....
1c0 : 00 00 48 00 2F 66 66 00 01 00 6C 66 66 00 06 00   ..H./ff...lff...
1d0 : 00 00 00 00 01 00 2F 66 66 00 01 00 A1 99 9A 00   ....../ff.......
1e0 : 06 00 00 00 00 00 01 00 32 00 00 00 01 00 5A 00   ........2.....Z.
1f0 : 00 00 06 00 00 00 00 00 01 00 35 00 00 00 01 00   ..........5.....
200 : 2D 00 00 00 06 00 00 00 00 00 01 38 42 49 4D 03   -..........8BIM.
210 : F8 00 00 00 00 00 70 00 00 FF FF FF FF FF FF FF   ......p.........
220 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 03   ................
230 : E8 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF   ................
240 : FF FF FF FF FF FF FF FF FF FF FF 03 E8 00 00 00   ................
250 : 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF   ................
260 : FF FF FF FF FF FF FF 03 E8 00 00 00 00 FF FF FF   ................
270 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF   ................
280 : FF FF FF 03 E8 00 00 38 42 49 4D 04 00 00 00 00   .......8BIM.....
290 : 00 00 02 00 00 38 42 49 4D 04 02 00 00 00 00 00   .....8BIM.......
2a0 : 02 00 00 38 42 49 4D 04 08 00 00 00 00 00 10 00   ...8BIM.........
2b0 : 00 00 01 00 00 02 40 00 00 02 40 00 00 00 00 38   ...... at ...253...@....8
2c0 : 42 49 4D 04 1E 00 00 00 00 00 04 00 00 00 00 38   BIM............8
2d0 : 42 49 4D 04 1A 00 00 00 00 00 75 00 00 00 06 00   BIM.......u.....
2e0 : 00 00 00 00 00 00 00 00 00 00 64 00 00 00 64 00   ..........d...d.
2f0 : 00 00 0A 00 55 00 6E 00 74 00 69 00 74 00 6C 00   ....U.n.t.i.t.l.
300 : 65 00 64 00 2D 00 31 00 00 00 01 00 00 00 00 00   e.d.-.1.........
310 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00   ................
320 : 00 00 00 00 00 00 00 00 00 00 64 00 00 00 64 00   ..........d...d.
330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
340 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
350 : 00 38 42 49 4D 04 11 00 00 00 00 00 01 01 00 38   .8BIM..........8
360 : 42 49 4D 04 14 00 00 00 00 00 04 00 00 00 03 38   BIM............8
370 : 42 49 4D 04 0C 00 00 00 00 0A 6D 00 00 00 01 00   BIM.......m.....
380 : 00 00 64 00 00 00 64 00 00 01 2C 00 00 75 30 00   ..d...d...,..u0.
390 : 00 0A 51 00 18 00 01 FF D8 FF E0 00 10 4A 46 49   ..Q..........JFI
3a0 : 46 00 01 02 01 00 48 00 48 00 00 FF EE 00 0E 41   F.....H.H......A
3b0 : 64 6F 62 65 00 64 80 00 00 00 01 FF DB 00 84 00   dobe.d..........
3c0 : 0C 08 08 08 09 08 0C 09 09 0C 11 0B 0A 0B 11 15   ................
3d0 : 0F 0C 0C 0F 15 18 13 13 15 13 13 18 11 0C 0C 0C   ................
3e0 : 0C 0C 0C 11 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C   ................
3f0 : 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C   ................
400 : 01 0D 0B 0B 0D 0E 0D 10 0E 0E 10 14 0E 0E 0E 14   ................
410 : 14 0E 0E 0E 0E 14 11 0C 0C 0C 0C 0C 11 11 0C 0C   ................
420 : 0C 0C 0C 0C 11 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C   ................
430 : 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C   ................
440 : 0C FF C0 00 11 08 00 64 00 64 03 01 22 00 02 11   .......d.d.."...
450 : 01 03 11 01 FF DD 00 04 00 07 FF C4 01 3F 00 00   .............?..
460 : 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 03   ................
470 : 00 01 02 04 05 06 07 08 09 0A 0B 01 00 01 05 01   ................
480 : 01 01 01 01 01 00 00 00 00 00 00 00 01 00 02 03   ................
490 : 04 05 06 07 08 09 0A 0B 10 00 01 04 01 03 02 04   ................
4a0 : 02 05 07 06 08 05 03 0C 33 01 00 02 11 03 04 21   ........3......!
4b0 : 12 31 05 41 51 61 13 22 71 81 32 06 14 91 A1 B1   .1.AQa."q.2.....
4c0 : 42 23 24 15 52 C1 62 33 34 72 82 D1 43 07 25 92   B#$.R.b34r..C.%.
4d0 : 53 F0 E1 F1 63 73 35 16 A2 B2 83 26 44 93 54 64   S...cs5....&D.Td
4e0 : 45 C2 A3 74 36 17 D2 55 E2 65 F2 B3 84 C3 D3 75   E..t6..U.e.....u
4f0 : E3 F3 46 27 94 A4 85 B4 95 C4 D4 E4 F4 A5 B5 C5   ..F'............
500 : D5 E5 F5 56 66 76 86 96 A6 B6 C6 D6 E6 F6 37 47   ...Vfv........7G
510 : 57 67 77 87 97 A7 B7 C7 D7 E7 F7 11 00 02 02 01   Wgw.............
520 : 02 04 04 03 04 05 06 07 07 06 05 35 01 00 02 11   ...........5....
530 : 03 21 31 12 04 41 51 61 71 22 13 05 32 81 91 14   .!1..AQaq"..2...
540 : A1 B1 42 23 C1 52 D1 F0 33 24 62 E1 72 82 92 43   ..B#.R..3$b.r..C
550 : 53 15 63 73 34 F1 25 06 16 A2 B2 83 07 26 35 C2   S.cs4.%......&5.
560 : D2 44 93 54 A3 17 64 45 55 36 74 65 E2 F2 B3 84   .D.T..dEU6te....
570 : C3 D3 75 E3 F3 46 94 A4 85 B4 95 C4 D4 E4 F4 A5   ..u..F..........
580 : B5 C5 D5 E5 F5 56 66 76 86 96 A6 B6 C6 D6 E6 F6   .....Vfv........
590 : 27 37 47 57 67 77 87 97 A7 B7 C7 FF DA 00 0C 03   '7GWgw..........

> P.S.  Also helpful to paste the rule thats causing the fp so we can
> quickly review.

Here it is:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
IE JPEG heap overflow single packet attempt";
flow:to_client,established; content:"image/"; nocase;
pcre:"/^Content-Type\s*\x3a(\s*|\s*\r?\n\s+)image\x2fp?jpe?g/smi";
content:"|FF C0|";
pcre:"/\xFF\xC0[^\xFF]{8}(([^\xFF])[^\xFF]{2})(([^\xFF])[^\xFF]{2})?(([^\xFF])[^\xFF]{2})?(([^\xFF])[^\xFF]{2})?\xFF.*\xFF\xDA[^\xFF]{2}[\x01-\x04](?(?=\2)[^\xFF]{2}(?(4)(?(?=\4)[^\xFF]{2}(?(6)(?(?=\6)[^\xFF]{2}(?(8)(?(?=\8)(?!))|(?!)))|(?!)))|(?!)))/s";
metadata:policy security-ips drop; reference:bugtraq,14282;
reference:bugtraq,14284; reference:cve,2005-1988;
reference:url,www.microsoft.com/technet/security/bulletin/MS05-038.mspx;
classtype:attempted-dos; sid:4135; rev:4;)

Ben




More information about the Snort-sigs mailing list