[Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt

Charlie Dyer charlierwdyer at ...2420...
Fri Jan 20 12:54:16 EST 2017


I won't be able to do that but below is a small subset of URLs that
triggered the alerts.
Presumably the browser requesting these files means these alerts aren't
anything to worry about, as the related CVEs are to do with Acrobat Reader
and Acrobat DC right?

www.minitorque.com/forum/customavatars/avatar7001_1.gif
disclaimer.akbank.com/images/disclaimer19.jpg
www.metoffice.gov.uk/media/image/0/q/surfacepressurechart.jpg





On Fri, Jan 20, 2017 at 5:35 PM, Al Lewis (allewi) <allewi at ...3865...> wrote:

> Hello Charlie,
>
> Do you have a pcap of the traffic that produced some of these false
> positives?
>
>
> Thanks.
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...3865...
>
> From: Charlie Dyer <charlierwdyer at ...2420...>
> Date: Friday, January 20, 2017 at 12:07 PM
> To: "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net>
> Subject: [Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro
> malformed JPEG APP1 segment out of bounds memory access attempt
>
> Hi list
>
> The number of false positives these two rules produce is huge!
> Has anyone else seen the same or amended the rule to be a bit more
> specific to the exploit,i.e. user agent is Acrobat Reader or something so
> it's a bit more specific.
>
> Any thoughts gratefully received
>
> Charlie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170120/c2b6f004/attachment.html>


More information about the Snort-sigs mailing list