[Snort-users] Oddness with 16295

rmkml rmkml at ...1855...
Wed Nov 10 15:37:46 EST 2010


Hi James,
maybe you have vlan on your pcap ?
could you test with wireshark/tshark?
can you share your pcap with me?
Regards
Rmkml


On Wed, 10 Nov 2010, Lay, James wrote:

> So this is weird....looking at this hit:
> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
> library heap buffer overflow - without optional fields [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 204.11.109.23:80 -> 10.21.0.16:64385
>
> Fairly certain it's an fp, but...when I hit the pcap dump file, it
> doesn't show....here's consecutive hits in the alert file:
> 11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file
> memory corruption [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185
>
> 11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file
> memory corruption [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185
>
> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
> library heap buffer overflow - without optional fields [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 204.11.109.23:80 -> 10.21.0.16:64385
>
> 11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
> CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80
>
> And from the pcapfile:
> sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395
> 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
> 1081895485, win 4789, length 1400
> 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
> 1, win 4789, length 1400
> 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack
> 2261207081, win 65535, length 536
>
> So where did 16295 go?  A quick check for that IP gives nothing:
> [10:48:24 jlay at ...15049...:~/log$] sudo tcpdump -n -s 1524 -r
> internettcpdump.pcap.1289401395 ip and host 204.11.109.23
> reading from file internettcpdump.pcap.1289401395, link-type EN10MB
> (Ethernet)
>
> James Lay
> IT Security Analyst
> WinCo Foods
> 208-672-2014 Office
> 208-559-1855 Cell
> 650 N Armstrong Pl.
> Boise, Idaho 83704




More information about the Snort-users mailing list