[Snort-users] Heap Spray String Floods

Matt Olney molney at ...1935...
Thu Feb 17 12:31:17 EST 2011


At first glance, it looks like you are alerting on data you are pulling from
BASE.

On Thu, Feb 17, 2011 at 12:07 PM, Michael Lubinski <
michael.lubinski at ...11827...> wrote:

>  133a
>>
>>     <INPUT TYPE="hidden" NAME="action_lst[46]" VALUE="#46-(51-2564)"><TD
>>> align="center" valign="top" >
>>
>>   <A
>>> HREF='base_qry_alert.php?submit=%2346-%2851-2564%29&sort_order=time_d'>#46-(51-2564)</a>
>>
>> </TD>
>>
>>
>>> <TD align="left" valign="top" >
>>
>>   <FONT SIZE=-1>[<A HREF="
>>> http://www.darkreading.com/security/vulnerabilities/221901428/index.html"
>>> TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A
>>> HREF="signatures/2012254.txt" TARGET="_ACID_ALERT_DESC">local</A>]</FONT>
>>> <FONT SIZE=-1>[<A HREF="
>>> http://www.snort.org/pub-bin/sigs.cgi?sid=1:2012254"
>>> TARGET="_ACID_ALERT_DESC">snort</A>]</FONT>  ET SHELLCODE Common
>>> %u0a0a%u0a0a UTF-16 Heap Spray String
>>
>>  </TD>
>>
>>
>>> <TD align="center" valign="top" >
>>
>>   2011-02-17 10:59:29
>>
>> </TD>
>>
>>
>>> <TD align="center" valign="top" >
>>
>>   <A
>>> HREF="base_stat_ipaddr.php?ip=192.168.1.200&netmask=32">192.168.1.200</A><FONT
>>> SIZE="-1">:80</FONT>
>>
>> </TD>
>>
>>
>>> <TD align="center" valign="top" >
>>
>>   <A
>>> HREF="base_stat_ipaddr.php?ip=192.168.1.104&netmask32">192.168.1.104</A><FONT
>>> SIZE="-1">:1261</FONT>
>>
>> </TD>
>>
>>
>>> <TD align="center" valign="top" >
>>
>>   <FONT>TCP</FONT>
>>
>> </TD>
>>
>>
>>> </TR><TR BGCOLOR="#FFFFFF"><TD align="center" valign="top" >
>>
>>   <INPUT TYPE="checkbox" NAME="action_chk_lst[47]" VALUE="#47-(51-2563)">
>>
>> </TD>
>>
>>
>>>     <INPUT TYPE="hidden" NAME="action_l
>>
>>
>
> On Thu, Feb 17, 2011 at 10:55 AM, Matt Olney <molney at ...1935...>wrote:
>
>> That's an Emerging Threats rule, not a VRT rule.  However, we have found
>> that the heap spray detection like these very useful and accurate.  Do you
>> have the packet payload that triggered these alerts?
>>
>> On Thu, Feb 17, 2011 at 11:45 AM, Michael Lubinski <
>> michael.lubinski at ...11827...> wrote:
>>
>>>  After updating the rules today I have noticed a few hundred and counting
>>> ET Heap Spray alerts (see attached picture);
>>>
>>> My Snort VM is residing at the .200 IP.
>>> The laptop I am using is the .104
>>>
>>> Anyone have any ideas? I think it is related to the snort signature
>>> update, maybe something went amiss, not sure.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>> Pinpoint memory and threading errors before they happen.
>>> Find and fix more than 250 security defects in the development cycle.
>>> Locate bottlenecks in serial and parallel code that limit performance.
>>> http://p.sf.net/sfu/intel-dev2devfeb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110217/9be94d6f/attachment.html>


More information about the Snort-users mailing list