[Snort-sigs] DOS Microsoft IIS 7.5 client verify null pointer mptempt

rmkml rmkml at ...174...
Thu Apr 19 04:24:58 EDT 2012


Hi Yew,
Could you update to revision 9 please? (VRT added two ssl_state for reduce FP)
Regards
Rmkml


On Wed, 18 Apr 2012, yew chuan Ong wrote:

> Hye guys...
> 
> Any ideas on this sig? What is the purpose to search for the keyword "0F"?
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IIS 7.5 client
> verify null pointer attempt"; flow:established,to_server; content:"|16 03 01|";
> depth:3; content:"|10|"; within:1; distance:2; byte_jump:2,-3,relative; content:
> "|16 03 01|"; within:3; content:"|0F|"; within:1; distance:2; reference:cve,2010
> -3229; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-085; cla
> sstype:attempted-dos; sid:17750; rev:8;)
> 
> Based on what I know:
> [16] [03 01] [00 86] [10] [00 00 82] [00 80 0F ......]
> 
> Byte 0 - [16] - Handshake
> Byte 1, Byte 2 - [03 01] - TLS1.0
> Byte 3, Byte 4 - [00 86] - 134 byte - length of TLS record
> Byte 5 - 10 - [16] - Client Key Exchange message
> Byte 6 - 8 - [00 00 82] - message length 130 bytes
> 
> [00 80 0F ...] <- start from here suppose is encrypted right?
> 
> Any ideas?
> 
> Thanks!
> 
> 
> Regards
> Yew Chuan
> 
> 
>


More information about the Snort-sigs mailing list