[Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt

Al Lewis (allewi) allewi at ...3865...
Fri Jan 20 12:35:08 EST 2017


Hello Charlie,

Do you have a pcap of the traffic that produced some of these false positives?


Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...3865...<mailto:allewi at ...3865...>

From: Charlie Dyer <charlierwdyer at ...2420...<mailto:charlierwdyer at ...2420...>>
Date: Friday, January 20, 2017 at 12:07 PM
To: "snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>" <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: [Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt

Hi list

The number of false positives these two rules produce is huge!
Has anyone else seen the same or amended the rule to be a bit more specific to the exploit,i.e. user agent is Acrobat Reader or something so it's a bit more specific.

Any thoughts gratefully received

Charlie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170120/698db82e/attachment.html>


More information about the Snort-sigs mailing list