[Snort-users] Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed Mar 25 18:44:25 EDT 2009

I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt (1:13318), and I'm thinking this is a false positive.  The snort page for the alert doesn't list any known false positives.

Some of the payload info:

HTTP/1.1 200 OK
Date: Wed, 25 Mar 2009 20:51:54 GMT
Server: Apache/1.3.41.fb2
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com
Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com; httponly
X-Cnection: close
Transfer-Encoding: chunked
Content-Type: application/x-javascript; charset=utf-8
Content-Encoding: gzip

The reason I think it may be a false positive, is the fact that this appears to be a javascript, and is gzipped (??).  I've seen other alerts triggered by JPEGs, and I've always assumed they were false positives, but I wanted to run it by all you because I could be missing something!

Also, if this is a false positive, how do I go about helping fill out the snort alert DB on the website?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090325/823fdb90/attachment.html>

More information about the Snort-users mailing list