[Snort-sigs] possible fp on 17297

matan monitz mmonitz at ...2420...
Tue Nov 16 09:07:43 EST 2010


hello
i have been trying to investigate a possible fp for 17297 but i can't really
figure out what the sig is looking for

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee
VirusScan on-access scanner long unicode filename handling buffer overflow
attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90
73 00 00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297;
rev:3;)
i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats a
rar file header but what is:* content:"|E2 CA D4 B2 E2 CA D4 B2|";?  *is it
suppose to be something in unicode?
how sure should i be regarding this signature?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101116/4bdc0077/attachment.html>


More information about the Snort-sigs mailing list