Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] FP for WEB-CLIENT winamp .cda file name overflow attempt Si

from [Russell Fulton] Network Security [Permanent Link]
Subject: [Snort-sigs] FP for WEB-CLIENT winamp .cda file name overflow attempt Sig ID 3088
Date: Sat, 19 Feb 2005 15:55:37 +1300 

I'm seeing quite a few of these:


META
--------
SID     CID     TimeStamp               Signature
3       840221  2005-02-18 16:02:53     WEB-CLIENT winamp .cda file name 
overflow attempt
Sig ID
3088

Sensor Hostname                         Sensor Interface
hihi.itss       eth1

IP
--------
Source Address  Dest Address    Ver     Hdr Len
64.12.180.19    130.216.28.1    4       5
TOS     length  ID      flags   offset  TTL     chksum
0       1420    37074   2       0       233     26784

Resolved Source
main-v3.netscape.com

Resolved Dest
eduf-link.eduf.auckland.ac.nz 

TCP
--------
Source Port     Dest Port       Seq             Ack             
80              19297           279622877       1076353437
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               16      34500   50815           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X                                       

DATA
--------
57696E31360A3C4F5054    Win16.<OPT
494F4E2056414C55453D    ION VALUE=
2757696E32303030273E    'Win2000'>
57696E323030300A3C4F    Win2000.<O
5054494F4E2056414C55    PTION VALU
453D2757696E332E3127    E='Win3.1'
3E57696E332E310A3C4F    >Win3.1.<O
5054494F4E2056414C55    PTION VALU
453D2757696E3935273E    E='Win95'>
57696E39350A3C4F5054    Win95.<OPT
494F4E2056414C55453D    ION VALUE=
2757696E3938273E5769    'Win98'>Wi
6E39380A3C4F5054494F    n98.<OPTIO
4E2056414C55453D2757    N VALUE='W
696E4D45273E57696E4D    inME'>WinM
450A3C4F5054494F4E20    E.<OPTION 
56414C55453D2757696E    VALUE='Win
4E54273E57696E4E540A    NT'>WinNT.
3C4F5054494F4E205641    <OPTION VA
4C55453D2757696E5850    LUE='WinXP
273E57696E58500A3C2F    '>WinXP.</
53454C4543543E3C2F46    SELECT></F
4F4E543E0A3C42523E0A    ONT>.<BR>.
3C464F4E5420434F4C4F    <FONT COLO
523D2330303030303020    R=#000000 
464143453D2773616E73    FACE='sans
2D73657269662C204172    -serif, Ar
69616C2C2048656C7665    ial, Helve
74696361272053495A45    tica' SIZE
3D313E200A3C53454C45    =1> .<SELE
4354204E414D453D2753    CT NAME='S
5550504F525445445F46    UPPORTED_F
494C455F455854454E53    ILE_EXTENS
494F4E53273E0A3C4F50    IONS'>.<OP
54494F4E2056414C5545    TION VALUE
3D27616C6C457874656E    ='allExten
73696F6E273E416C6C20    sion'>All 
46696C6520657874656E    File exten
73696F6E730A3C4F5054    sions.<OPT
494F4E2056414C55453D    ION VALUE=
272E303031273E2E3030    '.001'>.00
310A3C4F5054494F4E20    1.<OPTION 
56414C55453D272E3132    VALUE='.12
33273E2E3132330A3C4F    3'>.123.<O
5054494F4E2056414C55    PTION VALU
453D272E363639273E2E    E='.669'>.
3636390A3C4F5054494F    669.<OPTIO
4E2056414C55453D272E    N VALUE='.
43474D273E2E43474D0A    CGM'>.CGM.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E52617227    LUE='.Rar'
3E2E5261720A3C4F5054    >.Rar.<OPT
494F4E2056414C55453D    ION VALUE=
272E61616D273E2E6161    '.aam'>.aa
6D0A3C4F5054494F4E20    m.<OPTION 
56414C55453D272E6163    VALUE='.ac
65273E2E6163650A3C4F    e'>.ace.<O
5054494F4E2056414C55    PTION VALU
453D272E616570273E2E    E='.aep'>.
6165700A3C4F5054494F    aep.<OPTIO
4E2056414C55453D272E    N VALUE='.
61666C273E2E61666C0A    afl'>.afl.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E61696627    LUE='.aif'
3E2E6169660A3C4F5054    >.aif.<OPT
494F4E2056414C55453D    ION VALUE=
272E61696663273E2E61    '.aifc'>.a
6966630A3C4F5054494F    ifc.<OPTIO
4E2056414C55453D272E    N VALUE='.
61696666273E2E616966    aiff'>.aif
660A3C4F5054494F4E20    f.<OPTION 
56414C55453D272E6172    VALUE='.ar
6A273E2E61726A0A3C4F    j'>.arj.<O
5054494F4E2056414C55    PTION VALU
453D272E6173273E2E61    E='.as'>.a
730A3C4F5054494F4E20    s.<OPTION 
56414C55453D272E6173    VALUE='.as
66273E2E6173660A3C4F    f'>.asf.<O
5054494F4E2056414C55    PTION VALU
453D272E617370273E2E    E='.asp'>.
6173700A3C4F5054494F    asp.<OPTIO
4E2056414C55453D272E    N VALUE='.
617378273E2E6173780A    asx'>.asx.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E6175273E    LUE='.au'>
2E61750A3C4F5054494F    .au.<OPTIO
4E2056414C55453D272E    N VALUE='.
617669273E2E6176690A    avi'>.avi.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E61767827    LUE='.avx'
3E2E6176780A3C4F5054    >.avx.<OPT
494F4E2056414C55453D    ION VALUE=
272E617873273E2E6178    '.axs'>.ax
730A3C4F5054494F4E20    s.<OPTION 
56414C55453D272E6262    VALUE='.bb
7A273E2E62627A0A3C4F    z'>.bbz.<O
5054494F4E2056414C55    PTION VALU
453D272E626D70273E2E    E='.bmp'>.
626D700A3C4F5054494F    bmp.<OPTIO
4E2056414C55453D272E    N VALUE='.
627A6970273E2E627A69    bzip'>.bzi
700A3C4F5054494F4E20    p.<OPTION 
56414C55453D272E6334    VALUE='.c4
273E2E63340A3C4F5054    '>.c4.<OPT
494F4E2056414C55453D    ION VALUE=
272E63616C273E2E6361    '.cal'>.ca
6C0A3C4F5054494F4E20    l.<OPTION 
56414C55453D272E6361    VALUE='.ca
6C73273E2E63616C730A    ls'>.cals.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E63637627    LUE='.ccv'
3E2E6363760A3C4F5054    >.ccv.<OPT
494F4E2056414C55453D    ION VALUE=
272E636461273E2E6364    '.cda'>.cd
610A3C4F5054494F4E20    a.<OPTION 
56414C55453D272E6364    VALUE='.cd
72273E2E6364720A3C4F    r'>.cdr.<O
5054494F4E2056414C55    PTION VALU
453D272E636477273E2E    E='.cdw'>.
6364770A3C4F5054494F    cdw.<OPTIO
4E2056414C55453D272E    N VALUE='.
636478273E2E6364780A    cdx'>.cdx.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E6364786D    LUE='.cdxm
6C273E2E6364786D6C0A    l'>.cdxml.
3C4F5054494F4E205641    <OPTION VA
4C55453D272E63666D27    LUE='.cfm'
3E2E63666D0A3C4F5054    >.cfm.<OPT
494F4E2056414C55453D    ION VALUE=
272E63676D273E2E6367    '.cgm'>.cg
6D0A3C4F5054494F4E20    m.<OPTION 
56414C55453D272E6368    VALUE='.ch
6D273E2E63686D0A3C4F    m'>.chm.<O
5054494F4E2056414C55    PTION VALU
453D272E636966273E2E    E='.cif'>.
6369660A3C4F5054494F    cif.<OPTIO
4E2056414C55453D272E    N VALUE='.
636974273E2E6369740A    cit'>.cit.

DATA
--------
Win16.<OPTION VALUE='Win2000'>Win2000.<OPTION VALUE='Win3.1'

Win3.1.<OPTION VALUE='Win95'>Win95.<OPTION VALUE='Win98'>Wi

n98.<OPTION VALUE='WinME'>WinME.<OPTION VALUE='WinNT'>WinNT.
<OPTION VALUE='WinXP'>WinXP.</SELECT></FONT>.<BR>.<FONT COLO
R=#000000 FACE='sans-serif, Arial, Helvetica' SIZE=1> .<SELE
CT NAME='SUPPORTED_FILE_EXTENSIONS'>.<OPTION VALUE='allExten
sion'>All File extensions.<OPTION VALUE='.001'>.001.<OPTION 
VALUE='.123'>.123.<OPTION VALUE='.669'>.669.<OPTION VALUE='.
CGM'>.CGM.<OPTION VALUE='.Rar'>.Rar.<OPTION VALUE='.aam'>.aa
m.<OPTION VALUE='.ace'>.ace.<OPTION VALUE='.aep'>.aep.<OPTIO
N VALUE='.afl'>.afl.<OPTION VALUE='.aif'>.aif.<OPTION VALUE=
'.aifc'>.aifc.<OPTION VALUE='.aiff'>.aiff.<OPTION VALUE='.ar
j'>.arj.<OPTION VALUE='.as'>.as.<OPTION VALUE='.asf'>.asf.<O
PTION VALUE='.asp'>.asp.<OPTION VALUE='.asx'>.asx.<OPTION VA
LUE='.au'>.au.<OPTION VALUE='.avi'>.avi.<OPTION VALUE='.avx'

.avx.<OPTION VALUE='.axs'>.axs.<OPTION VALUE='.bbz'>.bbz.<O

PTION VALUE='.bmp'>.bmp.<OPTION VALUE='.bzip'>.bzip.<OPTION 
VALUE='.c4'>.c4.<OPTION VALUE='.cal'>.cal.<OPTION VALUE='.ca
ls'>.cals.<OPTION VALUE='.ccv'>.ccv.<OPTION VALUE='.cda'>.cd
a.<OPTION VALUE='.cdr'>.cdr.<OPTION VALUE='.cdw'>.cdw.<OPTIO
N VALUE='.cdx'>.cdx.<OPTION VALUE='.cdxml'>.cdxml.<OPTION VA
LUE='.cfm'>.cfm.<OPTION VALUE='.cgm'>.cgm.<OPTION VALUE='.ch
m'>.chm.<OPTION VALUE='.cif'>.cif.<OPTION VALUE='.cit'>.cit.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] FP for WEB-CLIENT winamp .cda file name overflow attempt Sig ID 3088, Russell Fulton <=
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] Bleeding rules virus and threshold issue, James Lay
Previous by Thread:  [Snort-sigs] Anyone got an *incoming* Bropia rule?, Jason Haar
Next by Thread:  [Snort-sigs] Bleeding rules virus and threshold issue, James Lay
Indexes:  [Date] [Thread] [Top] [All Lists]