[Snort-sigs] bad range 3038303030303030

Alex Kirk akirk at ...435...
Thu May 24 09:54:49 EDT 2012


Here is the version of these rules which is available in the current
subscriber pack, which fixes the problem:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"4E087DEB"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21902; rev:3;)
akirk at ...3607...:~/cvs/sfeng/research/rules/snort-rules$ grep -hi sid:2190[3-6] *
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"8B8DDA58"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21903; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"0036D8F4"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21904; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"B13CC16A"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21905; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"21433412"; content:"8E7EE1E6"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy
balanced-ips drop, policy security-ips drop, service http, service imap,
service pop3; reference:cve,2012-0158; reference:url,
technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21906; rev:3;)

Looking at the revision history on these, the problem was corrected on
April 26 in subscriber packs, so registered users should have the fix
automatically by May 26 per the standard 30-day lag. That said, since this
is on us, we want to make sure that everyone has access to a fix, so here
it is.

On Thu, May 24, 2012 at 9:23 AM, Weir, Jason <jason.weir at ...3410...> wrote:

> Looks like a problem with the following rules… 21902-21906****
>
> ** **
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
> overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
> file_data; content:"21433412"; content:"8B8DDA58"; distance:0; nocase;
> content:"436F626A"; distance:0; nocase;
> byte_extract:4,8,datasize1,relative,little;
> byte_extract:4,0,datasize2,relative,little;
> byte_test:4,=,datasize1,0,relative,little;
> byte_test:4,=,datasize2,4,relative,little;
> byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
> metadata:policy balanced-ips drop, policy security-ips drop, service http,
> service imap, service pop3; reference:cve,2012-0158; reference:url,
> technet.microsoft.com/en-us/security/bulletin/MS12-027;
> classtype:attempted-user; sid:21902; rev:1;)****
>
> ** **
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
> overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
> file_data; content:"21433412"; content:"0036D8F4"; distance:0; nocase;
> content:"436F626A"; distance:0; nocase;
> byte_extract:4,8,datasize1,relative,little;
> byte_extract:4,0,datasize2,relative,little;
> byte_test:4,=,datasize1,0,relative,little;
> byte_test:4,=,datasize2,4,relative,little;
> byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
> metadata:policy balanced-ips drop, policy security-ips drop, service http,
> service imap, service pop3; reference:cve,2012-0158; reference:url,
> technet.microsoft.com/en-us/security/bulletin/MS12-027;
> classtype:attempted-user; sid:21903; rev:1;)****
>
> ** **
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
> overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
> file_data; content:"21433412"; content:"B13CC16A"; distance:0; nocase;
> content:"436F626A"; distance:0; nocase;
> byte_extract:4,8,datasize1,relative,little;
> byte_extract:4,0,datasize2,relative,little;
> byte_test:4,=,datasize1,0,relative,little;
> byte_test:4,=,datasize2,4,relative,little;
> byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
> metadata:policy balanced-ips drop, policy security-ips drop, service http,
> service imap, service pop3; reference:cve,2012-0158; reference:url,
> technet.microsoft.com/en-us/security/bulletin/MS12-027;
> classtype:attempted-user; sid:21904; rev:1;)****
>
> ** **
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
> overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
> file_data; content:"21433412"; content:"8E7EE1E6"; distance:0; nocase;
> content:"436F626A"; distance:0; nocase;
> byte_extract:4,8,datasize1,relative,little;
> byte_extract:4,0,datasize2,relative,little;
> byte_test:4,=,datasize1,0,relative,little;
> byte_test:4,=,datasize2,4,relative,little;
> byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
> metadata:policy balanced-ips drop, policy security-ips drop, service http,
> service imap, service pop3; reference:cve,2012-0158; reference:url,
> technet.microsoft.com/en-us/security/bulletin/MS12-027;
> classtype:attempted-user; sid:21905; rev:1;)****
>
> ** **
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
> overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
> file_data; content:"21433412"; content:"A3E81207"; distance:0; nocase;
> content:"436F626A"; distance:0; nocase;
> byte_extract:4,8,datasize1,relative,little;
> byte_extract:4,0,datasize2,relative,little;
> byte_test:4,=,datasize1,0,relative,little;
> byte_test:4,=,datasize2,4,relative,little;
> byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
> metadata:policy balanced-ips drop, policy security-ips drop, service http,
> service imap, service pop3; reference:cve,2012-0158; reference:url,
> technet.microsoft.com/en-us/security/bulletin/MS12-027;
> classtype:attempted-user; sid:21906; rev:1;)****
>
> ** **
>
> -J****
>
> ** **
>
> *From:* costin [mailto:costinvilcu at ...144...]
> *Sent:* Thursday, May 24, 2012 5:16 AM
> *To:* snort-sigs at lists.sourceforge.net
> *Subject:* [Snort-sigs] bad range 3038303030303030****
>
> ** **
>
> Hi, ****
>
> i am running 2.9.1.2 version of Snort, and i just applied the vrt for
> registered users (the one from 4/24/2012).****
>
> After restarting snort, i got the folowing messages:****
>
>  ****
>
> "****
>
> Starting Snort on interface eth6...
> Bad range: 3038303030303030
> Bad range: 3038303030303030
> Bad range: 3038303030303030
> Bad range: 3038303030303030
> Bad range: 3038303030303030
> "****
>
>  ****
>
> I got the same messages for every interfaces i was running snort on.****
>
>  ****
>
> Does anyone have more info about these messages?****
>
>  ****
>
> Thanks,****
>
> ** **
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120524/8c03bc7a/attachment.html>


More information about the Snort-sigs mailing list