[Snort-users] Heap Spray String Floods

Michael Lubinski michael.lubinski at ...11827...
Thu Feb 17 12:07:35 EST 2011


 133a
>
>     <INPUT TYPE="hidden" NAME="action_lst[46]" VALUE="#46-(51-2564)"><TD
>> align="center" valign="top" >
>
>   <A
>> HREF='base_qry_alert.php?submit=%2346-%2851-2564%29&sort_order=time_d'>#46-(51-2564)</a>
>
> </TD>
>
>
>> <TD align="left" valign="top" >
>
>   <FONT SIZE=-1>[<A HREF="
>> http://www.darkreading.com/security/vulnerabilities/221901428/index.html"
>> TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A
>> HREF="signatures/2012254.txt" TARGET="_ACID_ALERT_DESC">local</A>]</FONT>
>> <FONT SIZE=-1>[<A HREF="
>> http://www.snort.org/pub-bin/sigs.cgi?sid=1:2012254"
>> TARGET="_ACID_ALERT_DESC">snort</A>]</FONT>  ET SHELLCODE Common
>> %u0a0a%u0a0a UTF-16 Heap Spray String
>
>  </TD>
>
>
>> <TD align="center" valign="top" >
>
>   2011-02-17 10:59:29
>
> </TD>
>
>
>> <TD align="center" valign="top" >
>
>   <A
>> HREF="base_stat_ipaddr.php?ip=192.168.1.200&netmask=32">192.168.1.200</A><FONT
>> SIZE="-1">:80</FONT>
>
> </TD>
>
>
>> <TD align="center" valign="top" >
>
>   <A
>> HREF="base_stat_ipaddr.php?ip=192.168.1.104&netmask32">192.168.1.104</A><FONT
>> SIZE="-1">:1261</FONT>
>
> </TD>
>
>
>> <TD align="center" valign="top" >
>
>   <FONT>TCP</FONT>
>
> </TD>
>
>
>> </TR><TR BGCOLOR="#FFFFFF"><TD align="center" valign="top" >
>
>   <INPUT TYPE="checkbox" NAME="action_chk_lst[47]" VALUE="#47-(51-2563)">
>
> </TD>
>
>
>>     <INPUT TYPE="hidden" NAME="action_l
>
>

On Thu, Feb 17, 2011 at 10:55 AM, Matt Olney <molney at ...1935...> wrote:

> That's an Emerging Threats rule, not a VRT rule.  However, we have found
> that the heap spray detection like these very useful and accurate.  Do you
> have the packet payload that triggered these alerts?
>
> On Thu, Feb 17, 2011 at 11:45 AM, Michael Lubinski <
> michael.lubinski at ...11827...> wrote:
>
>>  After updating the rules today I have noticed a few hundred and counting
>> ET Heap Spray alerts (see attached picture);
>>
>> My Snort VM is residing at the .200 IP.
>> The laptop I am using is the .104
>>
>> Anyone have any ideas? I think it is related to the snort signature
>> update, maybe something went amiss, not sure.
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110217/f79b7c55/attachment.html>


More information about the Snort-users mailing list