[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27

waldo kitty wkitty42 at ...3507...
Tue Sep 28 14:46:08 EDT 2010


On 9/28/2010 13:42, Joel Esler wrote:
>
> On Tue, Sep 28, 2010 at 1:25 PM, waldo kitty <wkitty42 at ...3507...
> <mailto:wkitty42 at ...3507...>> wrote:
>
>     On 9/28/2010 11:03, infosec posts wrote:> alert tcp $HOME_NET any ->
>      > $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer
>      > Long URL Buffer Overflow attempt"; flow:established,to_server;
>      > urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D
>      > 0A|"; metadata:service http; reference:bugtraq,19667;
>      > reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)
>      >
>      > Unless I am mistaken, we got a brand new signature for something that
>      > was patched in 2006 (IE 6.0 SP1 on WinXP XP1).  It was also written so
>      > broadly that I'm north of 90,000 alerts in an 8-hour overnight time
>      > window before I killed the signature, and still counting as the
>      > buffers flush out from my sensors.
>
>     ouch! that is a bit on the extreme side, isn't it :?
>
>
> Look at the vulnerability CVE for some laughs.  Shame on you IE.

yeah, i know... tell me about it :P

> Sometimes in the act of writing rules for stupid programmer mistakes, it's hard
> to write a rule to catch that crazyiness.   All you have to do is issue it a big
> long URL?  Seriously?

yeah... back in the day, we called that a buffer overflow and actually we not 
allowed to do such because the compiler would not allow us to do something as 
idiotic as that... especially when attempting to X bytes into a buffer that is 
only Y bytes long... larger buffer than what you're copying, no problem... 
smaller buffer? you'd better break that thing down into smaller chunks and feed 
it a chunk at the time... what were they thinking?




More information about the Snort-sigs mailing list