[Snort-sigs] bad range 3038303030303030

Weir, Jason jason.weir at ...3410...
Thu May 24 09:23:25 EDT 2012


Looks like a problem with the following rules... 21902-21906

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"8B8DDA58"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21902; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"0036D8F4"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21903; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"B13CC16A"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21904; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"8E7EE1E6"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21905; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"A3E81207"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21906; rev:1;)

 

-J

 

From: costin [mailto:costinvilcu at ...144...] 
Sent: Thursday, May 24, 2012 5:16 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] bad range 3038303030303030

 

Hi, 

i am running 2.9.1.2 version of Snort, and i just applied the vrt for
registered users (the one from 4/24/2012).

After restarting snort, i got the folowing messages:

 

"

Starting Snort on interface eth6...
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
"

 

I got the same messages for every interfaces i was running snort on.

 

Does anyone have more info about these messages?

 

Thanks,

 
_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120524/8e897463/attachment.html>


More information about the Snort-sigs mailing list