[Snort-sigs] FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606

Russell Fulton r.fulton at ...575...
Mon Jul 26 17:18:27 EDT 2010


I am seeing lots of hits on this rule -- mostly from local ISP addresses which strongly suggests that they are FPs.

sample packet:

16030100300B9BFA00AD
D1DC979808E896F4E7CF
1B85338B5531AF7CF07A
805C0320F78A1929FFEC
B2E2CCA7F1764DBDABFC
7A0A0B


I have lots more sample if anyone wants them -- getting a full session capture might be possible too if needed.


Russell Fulton

Information Security Officer, The University of Auckland
New Zealand







More information about the Snort-sigs mailing list