[Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt

Nick Randolph drandolph at ...435...
Mon Jan 23 09:50:42 EST 2017


Charlie,

We released an update on Friday that included a revision to this rule. Can
you let us know if you are still having FP issues?

On Fri, Jan 20, 2017 at 12:54 PM, Charlie Dyer <charlierwdyer at ...2420...>
wrote:

> I won't be able to do that but below is a small subset of URLs that
> triggered the alerts.
> Presumably the browser requesting these files means these alerts aren't
> anything to worry about, as the related CVEs are to do with Acrobat Reader
> and Acrobat DC right?
>
> www.minitorque.com/forum/customavatars/avatar7001_1.gif
> disclaimer.akbank.com/images/disclaimer19.jpg
> www.metoffice.gov.uk/media/image/0/q/surfacepressurechart.jpg
>
>
>
>
>
> On Fri, Jan 20, 2017 at 5:35 PM, Al Lewis (allewi) <allewi at ...3865...>
> wrote:
>
>> Hello Charlie,
>>
>> Do you have a pcap of the traffic that produced some of these false
>> positives?
>>
>>
>> Thanks.
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at ...3865...
>>
>> From: Charlie Dyer <charlierwdyer at ...2420...>
>> Date: Friday, January 20, 2017 at 12:07 PM
>> To: "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net>
>> Subject: [Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat
>> Pro malformed JPEG APP1 segment out of bounds memory access attempt
>>
>> Hi list
>>
>> The number of false positives these two rules produce is huge!
>> Has anyone else seen the same or amended the rule to be a bit more
>> specific to the exploit,i.e. user agent is Acrobat Reader or something so
>> it's a bit more specific.
>>
>> Any thoughts gratefully received
>>
>> Charlie
>>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...435...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170123/e5a4162b/attachment.html>


More information about the Snort-sigs mailing list