[Snort-users] Oddness with 16295

James Lay jlay at ...13475...
Wed Nov 10 22:08:12 EST 2010


Negative, but good thought.  I will try and see if I can capture another
one.

James

On 11/10/10 1:37 PM, "rmkml" <rmkml at ...1855...> wrote:

>Hi James,
>maybe you have vlan on your pcap ?
>could you test with wireshark/tshark?
>can you share your pcap with me?
>Regards
>Rmkml
>
>
>On Wed, 10 Nov 2010, Lay, James wrote:
>
>> So this is weird....looking at this hit:
>> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
>> library heap buffer overflow - without optional fields [**]
>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>> 204.11.109.23:80 -> 10.21.0.16:64385
>>
>> Fairly certain it's an fp, but...when I hit the pcap dump file, it
>> doesn't show....here's consecutive hits in the alert file:
>> 11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file
>> memory corruption [**] [Classification: Attempted User Privilege Gain]
>> [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185
>>
>> 11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file
>> memory corruption [**] [Classification: Attempted User Privilege Gain]
>> [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185
>>
>> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
>> library heap buffer overflow - without optional fields [**]
>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>> 204.11.109.23:80 -> 10.21.0.16:64385
>>
>> 11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
>> CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80
>>
>> And from the pcapfile:
>> sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395
>> 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
>> 1081895485, win 4789, length 1400
>> 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
>> 1, win 4789, length 1400
>> 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack
>> 2261207081, win 65535, length 536
>>
>> So where did 16295 go?  A quick check for that IP gives nothing:
>> [10:48:24 jlay at ...15049...:~/log$] sudo tcpdump -n -s 1524 -r
>> internettcpdump.pcap.1289401395 ip and host 204.11.109.23
>> reading from file internettcpdump.pcap.1289401395, link-type EN10MB
>> (Ethernet)
>>
>> James Lay
>> IT Security Analyst
>> WinCo Foods
>> 208-672-2014 Office
>> 208-559-1855 Cell
>> 650 N Armstrong Pl.
>> Boise, Idaho 83704
>
>--------------------------------------------------------------------------
>----
>The Next 800 Companies to Lead America's Growth: New Video Whitepaper
>David G. Thomson, author of the best-selling book "Blueprint to a
>Billion" shares his insights and actions to help propel your
>business during the next growth cycle. Listen Now!
>http://p.sf.net/sfu/SAP-dev2dev
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list