[Snort-sigs] Sourcefire VRT Certified Snort Rules for CVE-2013-3906

Jeremy Scott JeremyScott at ...3854...
Thu Nov 7 22:05:26 EST 2013


What's the possibility of false negatives with the rules package for CVE-2013-3906 (SID 28464-71)? I'm just trying to validate if I'm understanding the rule logic correctly.

The content is matching the STRIPBYTECOUNT TIFF Tag (01 17 00 04 00 00 00 01). By specifying a value of 1 for the number of strips in the file, it seems that it will bypass the rule from being triggered if more than 1 strip is used to trigger the vulnerable condition.


Jeremy Scott

[cid:534C6DB9-FD33-43FD-B846-880C07DCF0CD]<http://www.solutionary.com/>

Senior Research Analyst
Security Engineering Research Team (SERT)

Phone: 806-318-3541  Cell: 806-679-4440

Email: JeremyScott at ...3855...<mailto:JeremyScott at ...3855...>
www.solutionary.com<http://www.solutionary.com>

Solutionary named MSSP Leader. Go here<http://www.solutionary.com/index/intelligence-center/Gartner-Magic-Quadrant-2012.php>.


Confidentiality Notice: The content of this communication, along with any attachments, is covered by federal and state law governing electronic communications and may contain confidential and legally privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, use or copying of the information contained herein is strictly prohibited. If you have received this communication in error, please immediately contact us by telephone at 402.361.3000 or e-mail security at ...3854...<mailto:security at ...3854...>. Thank you.
Copyright 2000-2012. Solutionary, Inc. All rights reserved. ActiveGuard and Solutionary are registered trademarks of Solutionary, Inc. Solutionary, the ActiveGuard logo icon, and the Solutionary logo icon are registered service marks of Solutionary, Inc.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131107/5ac1d72b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 129B047A-DC06-4D6F-9657-46CB08FB5608.png
Type: image/png
Size: 6827 bytes
Desc: 129B047A-DC06-4D6F-9657-46CB08FB5608.png
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131107/5ac1d72b/attachment.png>


More information about the Snort-sigs mailing list