[Snort-sigs] FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Tue Jul 27 10:23:15 EDT 2010


Hello.  I too see this alert much.  25+ times alone in the past few
hours.  Could it be falsing on random encrypted packets or is it real
exploit attempts?  I too see the packets start with (hex):

1603 0100 300b

Interesting.  Any insights?

-L0rd Ch0de1m0rt

On 7/26/10, Russell Fulton <r.fulton at ...575...> wrote:
> I am seeing lots of hits on this rule -- mostly from local ISP addresses
> which strongly suggests that they are FPs.
>
> sample packet:
>
> 16030100300B9BFA00AD
> D1DC979808E896F4E7CF
> 1B85338B5531AF7CF07A
> 805C0320F78A1929FFEC
> B2E2CCA7F1764DBDABFC
> 7A0A0B
>
>
> I have lots more sample if anyone wants them -- getting a full session
> capture might be possible too if needed.
>
>
> Russell Fulton
>
> Information Security Officer, The University of Auckland
> New Zealand
>
>
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://ad.doubleclick.net/clk;226879339;13503038;l?
> http://clk.atdmt.com/CRS/go/247765532/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list