[Snort-sigs] StageFright rules possible?

Geoffrey Serrao gserrao at ...435...
Fri Aug 21 09:32:14 EDT 2015


Sids 35434-35435 will alert on MP4 files that exploit stagefright.

Protocol decoding is handled by the appropriate Snort preprocessor

On Thu, Aug 20, 2015 at 12:44 PM, Strnad Dominik <dominik.strnad at ...4068...
> wrote:

> Hello all,
> I do work for mobile operator and we take Android StageFright
> vulnerability really seriously. We are trying to find some flexible long
> term solution, so we can handle such a threats in future. We are as well
> afraid, that for many Android devices, there will never be OTA update
> available to patch StageFright. :-(
> As Mpeg4 container is a ‘’bit’’ complicated structure I am not sure, if
> Snort rules could cover StageFright multiple buffers over/under flows
> described in corresponding CVEs. It is even more challenging as WAP or HTTP
> protocols could be used to deliver this vulnerability in MIME encoded MP4
> attachment. So my question is, is it doable? Thank you. ☺
> Some useful links:
> http://translate.wooyun.io/2015/08/08/Stagefright-Vulnerability-Disclosure.html
> http://xhelmboyx.tripod.com/formats/mp4-layout.txt
> Kind regards
> Dominik Strnad
> Zásady komunikace, které společnost T-Mobile Czech Republic a.s. užívá při
> sjednávání smluv, jsou uvedeny zde<
> http://www.t-mobile.cz/dcpublic/Zasady_komunikace_pri_sjednavani_smluv_cz.pdf>.
> Není-li v zásadách uvedeno jinak, nepředstavuje tato zpráva konečný návrh
> na uzavření či změnu smlouvy ani přijetí takového návrhu. The communication
> principles which T-Mobile Czech Republic a.s. applies when negotiating
> contracts are defined here<
> http://www.t-mobile.cz/dcpublic/Zasady_komunikace_pri_sjednavani_smluv_en.pdf>.
> Unless otherwise stated in the principles, this message does not constitute
> the final offer to contract or an amendment of a contract or acceptance of
> such offer.
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150821/1c9cc622/attachment.html>

More information about the Snort-sigs mailing list