Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] False +ves for 2657 EXPLOIT SSLv2 Client_Hello with pad Cha

from [Russell Fulton] Network Security [Permanent Link]
Subject: [Snort-sigs] False +ves for 2657 EXPLOIT SSLv2 Client_Hello with pad Challenge Length overflow attempt
Date: Fri, 26 Nov 2004 10:02:51 +1300 
I am seeing hundreds of these alerts a day from reputable sources and no
sign of any malicious intent.

Here is a typical packet capture _ there are plenty more if anyone wants
them!

META
--------
SID     CID     TimeStamp               Signature
5       273974  2004-11-25 09:51:16     EXPLOIT SSLv2 Client_Hello with pad 
Challenge Length overflow attempt
Sig ID
2657

Sensor Hostname                         Sensor Interface
hihi    1

IP
--------
Source Address  Dest Address    Ver     Hdr Len
203.173.211.65  130.216.11.111  4       5
TOS     length  ID      flags   offset  TTL     chksum
32      303     44817   2       0       121     9313

Resolved Source
p65-nas2.akl.ihug.co.nz

Resolved Dest
ndeva.auckland.ac.nz 

TCP
--------
Source Port     Dest Port       Seq             Ack             
1327            443             5593186 1528433891
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      8509    30851           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
17030001021F83AF73F1    ........s.
385827A0EDD163E10090    8X'...c...
2F26E65E6240C4A356D2    /&.^b@..V.
344FA3CE206BE6A50644    4O.. k...D
B0C824A3339ACA69C1F8    ..$.3..i..
5AF07B41F5D429415A1A    Z.{A..)AZ.
4DD2DC2A19FF247BF411    M..*..${..
3EBCD6EF984958819E04    >....IX...
4B9136C8CC7619312487    K.6..v.1$.
916FD34665C203465560    .o.Fe..FU`
300513DFA35A8DC72124    0....Z..!$
540530C63249DB94A0A2    T.0.2I....
832CF4A908A77395D141    .,....s..A
6469FD37C3F50015FD74    di.7.....t
A367FF223A91BA8EB6AF    .g.":.....
CA9D26EACB0BF90699A2    ..&.......
99F5763B6A5E398C2C84    ..v;j^9.,.
89039CFCD49A3ED3FE23    ......>..#
787AFDF2398F4744C83E    xz..9.GD.>
2F36CA38ADFA5C3A7852    /6.8..\:xR
F12DCD10B3D28B1A8133    .-.......3
2C5B3C1D56CDDEE7B7BE    ,[<.V.....
E8118D26A21A9723E90C    ...&...#..
E2B003B9E78F83720859    .......r.Y
BFAF22F09C529018ABF6    .."..R....
85740836C7EA2EA2F172    .t.6.....r
3E9C77  >.w

-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] False +ves for 2657 EXPLOIT SSLv2 Client_Hello with pad Challenge Length overflow attempt, Russell Fulton <=
Previous by Date:  Re: [Snort-sigs] The rule 1054 fires up false positives!, nnposter
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-sigs] Craig C Anderson/seh is out of the office., Craig C Anderson
Next by Thread:  [Snort-sigs] A newb question on Snort Rules, warwick ackfin
Indexes:  [Date] [Thread] [Top] [All Lists]