<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6617.6">
<TITLE>Windows Messenger/MSN Messenger</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=2 FACE="Arial">I've been reviewing the new signatures for the PNG Buffer Overflow Vulnerbility(MS05-009), I'm not sure that these would even work. From the testing that I've done today every capture is wrapped in Microsoft's messaging protocol and generates False Negatives when a PNG image is displayed or transferred. Any thoughts?</FONT></P>

<P><FONT SIZE=2 FACE="Arial">Snort Signatures: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; distance:4; within:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:cve,2004-0597; reference:bugtraq,10872; classtype:attempted-admin; sid:2673; rev:2;) </FONT></P>

<P><FONT SIZE=2 FACE="Arial">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; flow:established,to_client; classtype:attempted-admin; reference:cve,CAN-2004-0597; sid:2001058; rev:2;) </FONT></P>

<P><FONT SIZE=2 FACE="Arial">Snort Signatures: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"libPNG - Remotely exploitable stack-based bufferoverrun in png_handle_tRNS"; pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S])\x03/Ri"; content:"tRNS"; byte_jump:4, -8, relative, big; pcre:"/([\s\S])/R"; pcre:"/([a-zA-Z])[A-Z][a-zA-Z]/R"; reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2000000; rev:1;) </FONT></P>

<P><FONT SIZE=2 FACE="Arial">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; distance:4; within:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:cve,2004-0597; reference:bugtraq,10872; classtype:attempted-admin; sid:2673; rev:2;) </FONT></P>

<P><FONT SIZE=2 FACE="Arial">alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; flow:established,to_client; classtype:attempted-admin; reference:cve,CAN-2004-0597; sid:1000117; rev:2;) </FONT></P>

<P><FONT SIZE=2 FACE="Arial">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; flow:established,to_client; classtype:attempted-admin; reference:cve,CAN-2004-0597; sid:2001058; rev:2;) </FONT></P>

<P><FONT SIZE=2 FACE="Arial">Thx</FONT>
</P>

<P><B><FONT COLOR="#000080" SIZE=2 FACE="Palatino Linotype">Paul D. Jaramillo</FONT></B>

<BR><FONT SIZE=2 FACE="Palatino Linotype">Security Event Management</FONT>

<BR><FONT SIZE=2 FACE="Palatino Linotype">Sprint Corporate Security</FONT>

<BR><FONT SIZE=2 FACE="Palatino Linotype">913-315-8036</FONT>
</P>

</BODY>
</HTML>