[Snort-users] Further Investigation Needed: FILE-FLASH Action InitArray stack overflow attempt

Turnbough, Bradley E. bturnbough at ...15650...
Tue Sep 24 12:15:08 EDT 2013


Joel,

While I'm very open to submitting false positives, I want to understand better why this event is firing.

Is there a way to capture *more* data (the date preceeding the event) and step through it to determine whether or not it's actually malicious?

Right now, all I'm seeing is ascii characters, presumably because it's compiled .SWF bits.

Brad
________________________________
From: Joel Esler [jesler at ...1935...]
Sent: Tuesday, September 24, 2013 11:11 AM
To: Turnbough, Bradley E.
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Further Investigation Needed: FILE-FLASH Action InitArray stack overflow attempt

What is the sid for the rule, we have two rules with that message?

In fact this would help:

Submit a False Positive<https://www.snort.org/uploads>

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 24, 2013, at 9:59 AM, Turnbough, Bradley E. <bturnbough at ...15650...<mailto:bturnbough at ...15650...>> wrote:

Guys,

This one is coming up in droves and I'm fairly sure they're false postivies.

I looked at the metadata / ascii in snorby, but it's all ascii characters.

Can someone point me in the right direction as to what I can do to see the data (or more data!) / where it is coming from?

Thanks,

Brad
_____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

_____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.




More information about the Snort-users mailing list