[Snort-sigs] DOS Microsoft IIS 7.5 client verify null pointer attempt

yew chuan Ong yewchuan_23 at ...144...
Thu Apr 19 00:39:01 EDT 2012


Hye guys...

Any ideas on this sig? What is the purpose to search for the keyword "0F"?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IIS 7.5 client
verify null pointer attempt"; flow:established,to_server; content:"|16 03 01|";
depth:3; content:"|10|"; within:1; distance:2; byte_jump:2,-3,relative; content:
"|16 03 01|"; within:3; content:"|0F|"; within:1; distance:2; reference:cve,2010
-3229; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-085; cla
sstype:attempted-dos; sid:17750; rev:8;)

Based on what I know:
[16] [03 01] [00 86] [10] [00 00 82] [00 80 0F ......]

Byte 0 - [16] - Handshake
Byte 1, Byte 2 - [03 01] - TLS1.0
Byte 3, Byte 4 - [00 86] - 134 byte - length of TLS record
Byte 5 - 10 - [16] - Client Key Exchange message
Byte 6 - 8 - [00 00 82] - message length 130 bytes

[00 80 0F ...] <- start from here suppose is encrypted right?

Any ideas?

Thanks!


Regards
Yew Chuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120418/4fa64d43/attachment.html>


More information about the Snort-sigs mailing list