[Snort-sigs] FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606

Alex Kirk akirk at ...435...
Tue Jul 27 11:04:54 EDT 2010


We'll take full-session PCAPs from anyone that has them, and go take a look
at what we can do with the rule based on our research and those packets.
Russell, L0rd, you two probably know where to send, since you're regulars on
this list.

On Tue, Jul 27, 2010 at 10:23 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2420...>wrote:

> Hello.  I too see this alert much.  25+ times alone in the past few
> hours.  Could it be falsing on random encrypted packets or is it real
> exploit attempts?  I too see the packets start with (hex):
>
> 1603 0100 300b
>
> Interesting.  Any insights?
>
> -L0rd Ch0de1m0rt
>
> On 7/26/10, Russell Fulton <r.fulton at ...575...> wrote:
> > I am seeing lots of hits on this rule -- mostly from local ISP addresses
> > which strongly suggests that they are FPs.
> >
> > sample packet:
> >
> > 16030100300B9BFA00AD
> > D1DC979808E896F4E7CF
> > 1B85338B5531AF7CF07A
> > 805C0320F78A1929FFEC
> > B2E2CCA7F1764DBDABFC
> > 7A0A0B
> >
> >
> > I have lots more sample if anyone wants them -- getting a full session
> > capture might be possible too if needed.
> >
> >
> > Russell Fulton
> >
> > Information Security Officer, The University of Auckland
> > New Zealand
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > The Palm PDK Hot Apps Program offers developers who use the
> > Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> > of $1 Million in cash or HP Products. Visit us here for more details:
> > http://ad.doubleclick.net/clk;226879339;13503038;l?
> > http://clk.atdmt.com/CRS/go/247765532/direct/01/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://ad.doubleclick.net/clk;226879339;13503038;l?
> http://clk.atdmt.com/CRS/go/247765532/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100727/635606f9/attachment.html>


More information about the Snort-sigs mailing list