Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ISS Proventia email overflow

from [Albert R. Campa] Network Security [Permanent Link]
Subject: Re: ISS Proventia email overflow
Date: Tue, 20 Nov 2007 10:26:59 -0600 
It is from a known good source, another mail server, but I don't know
if this instance is mail being relayed or generated from the server
itself. The smtp portion of the packet is just a bunch of random
numbers from what I can tell.


On Nov 20, 2007 10:15 AM, David Maynor <dmaynor@gmail.com> wrote:

Is the email spam or did is it from a known good source?


On Nov 20, 2007 10:59 AM, Albert R. Campa <abcampa@gmail.com> wrote:

I dont know that it is an actual email, but this is 1 of 28 lines that
I took from a packet capture in the smtp portion of the packet

Message: \252\225U\376\207\251\326\270\001II\341\321\321I\001R\n

some lines are longer some shorter but 28 of them. I guess this is
what is causing the event to trigger.



On Nov 20, 2007 9:43 AM, David Maynor <dmaynor@gmail.com> wrote:

What is contained in that email? Specifically that check is looking
for strings that could be used as the payload in a buffer overflow.
There is always a chance of positives but I would love to see what
kinda of legit email contains characters that could be translated to
machine code in a useful fashion.


On Nov 19, 2007 5:28 PM, Albert R. Campa <abcampa@gmail.com> wrote:

Hi guys,

I am getting spurts of events trigerred by ISS Proventia, with the
following vuln description:
Vulnerability description
In buffer overflow attacks, an attacker supplies data that is longer
than the available space to hold it. For stack allocated variables,
this usually means the attacker can corrupt other variables and
eventually modify the code that is executed when the function in which
the overflow occurs ends.

http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm

They are from a trusted mail server so its not being blocked.

Do you think this is just a true false positive or is this trusted
mail server sending bad packets?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------










------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ISS Proventia email overflow, David Maynor
Next by Date:  Re: ISS Proventia email overflow, Albert R. Campa
Previous by Thread:  Re: ISS Proventia email overflow, David Maynor
Next by Thread:  RE: ISS Proventia email overflow, Mike Theriault
Indexes:  [Date] [Thread] [Top] [All Lists]