[Snort-sigs] possible fp on 17297

rmkml rmkml at ...174...
Tue Nov 16 16:44:50 EST 2010


Hi Matan,
added more references:
  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=515
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2152
  http://www.kb.cert.org/vuls/id/324929
  http://www.securityfocus.com/bid/23543
  http://xforce.iss.net/xforce/xfdb/33732
-Maybe check if any ports is good for you or maybe add exception port?
-Maybe add "light" within:200; for checking unicode multibyte,
-and maybe add "light" searching long null byte (separator) ending filename like: isdataat:64,relative; content:!"|00|"; within:64;

but the best is how length multibyte unicode vulnerability?

do you have a FP example please?
Regards
Rmkml


On Tue, 16 Nov 2010, matan monitz wrote:

> hello
> i have been trying to investigate a possible fp for 17297 but i can't really figure out what the sig is looking for
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90 73 00
> 00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297; rev:3;)
> i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats a rar file header but what is: content:"|E2 CA D4 B2 E2 CA D4 B2|";?  is it suppose to be something in unicode?
> how sure should i be regarding this signature?


More information about the Snort-sigs mailing list