[Snort-users] Further Investigation Needed: FILE-FLASH Action InitArray stack overflow attempt

Jeremy Hoel jthoel at ...11827...
Tue Sep 24 20:55:06 EDT 2013


There is no way to capture data before the event with snort.  It's
highly recommend that you also run some kind of network capture
software to capture all packets (or at least a good subset of them) so
you can go back and pull the relevant data out when you need to look
at something.

Snort.org has a tool called daemonlogger
(http://www.snort.org/snort-downloads/additional-downloads#daemonlogger)
and you can also use cxtracker (http://gamelinux.github.io/cxtracker/)
with other tools like openfpc (http://www.openfpc.org/).

Also check out Security Onion
(https://code.google.com/p/security-onion/) for an all in one rolled
up solution.  With a little emphisis on this -
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html

On Tue, Sep 24, 2013 at 4:15 PM, Turnbough, Bradley E.
<bturnbough at ...15650...> wrote:
> Joel,
>
> While I'm very open to submitting false positives, I want to understand better why this event is firing.
>
> Is there a way to capture *more* data (the date preceeding the event) and step through it to determine whether or not it's actually malicious?
>
> Right now, all I'm seeing is ascii characters, presumably because it's compiled .SWF bits.
>
> Brad
> ________________________________
> From: Joel Esler [jesler at ...1935...]
> Sent: Tuesday, September 24, 2013 11:11 AM
> To: Turnbough, Bradley E.
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Further Investigation Needed: FILE-FLASH Action InitArray stack overflow attempt
>
> What is the sid for the rule, we have two rules with that message?
>
> In fact this would help:
>
> Submit a False Positive<https://www.snort.org/uploads>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Sep 24, 2013, at 9:59 AM, Turnbough, Bradley E. <bturnbough at ...15820....<mailto:bturnbough at ...15650...>> wrote:
>
> Guys,
>
> This one is coming up in droves and I'm fairly sure they're false postivies.
>
> I looked at the metadata / ascii in snorby, but it's all ascii characters.
>
> Can someone point me in the right direction as to what I can do to see the data (or more data!) / where it is coming from?
>
> Thanks,
>
> Brad
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list