That's a good question. We removed the 2 bleeding snort rules from Chas
Tomlin with this comment made by myself:
------
Removed, sids 2705, 2706, 2707 in the snort.org rulesets cover this nicely
------
The original rules we had were:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established;
content:"Content-Type\: image/jpeg"; content:"|FF FE 00 00|";
classtype:attempted-user; sid:200326; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
WEB-CLIENT MS04-028 exploiting jpeg"; flow:to_client,established;
content:"Content-Type\: image/jpeg"; content:"|FF FE 00 01|";
classtype:attempted-user;sid:2001327; rev:1;)
I don't think we had any serious problem with these rules, but I don't
recall exactly.
The snort.org rules that replaced these are:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
JPEG parser heap overflow attempt"; flow:from_server,established; co
ntent:"image/"; nocase;
pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi";
reference:bugtraq,11173; reference:cve,2004-0200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-admin; sid:2705; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
JPEG transfer"; flow:from_server,established; content:"image/"; nocase;
pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi";
flowbits:set,http.jpeg; flowbits:noalert;
classtype:protocol-command-decode; sid:2
706; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
JPEG parser multipacket heap overflow"; flow:from_server,established
; flowbits:isset,http.jpeg; content:"|FF|";
pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173;
reference:cve,2004-0200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-admin; sid:2707; rev:2;)
Which I just realized I have had commented out for a while. I don't
recall if there were problems when I dropped them way back when, so I'm
turning them back on to see how they do.
Can anyone comment on their accuracy?
Matt
Chris Kronberg wrote:
Hi,
Has anyone a working rule for that gdi exploit? I've seen
that the two rules once on bleedingsnort have been removed
(good thing as they produced tons of false positives). Yet
I failed to see any alternative. Any idea how the virus
scanners find those jpegs without too much false positives?
Cheers,
Chris Kronberg.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------
NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
