Network Security: Detailed info on Re: [Snort-sigs] False +ve for BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buf

Subject:	Re: [Snort-sigs] False +ve for BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buffer Overflow sid:2000329
Date:	Thu, 19 May 2005 15:21:50 -0500

I wonder if this isn't a sig we could drop out of the rulesets as obsoleted.

Unless someone has a tip on tuning it more.

Matt

Russell Fulton wrote:

I'm seeing lots of these, they are also triggering (correctly) the iroffer 
alert.
R
META
--------
SID     CID     TimeStamp               Signature
3       3707243 2005-05-18 12:31:08     BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC 
Buffer Overflow
Sig ID
2000329
Sensor Hostname                         Sensor Interface
hihi.itss       eth1
IP
--------
Source Address  Dest Address    Ver     Hdr Len
66.252.1.215    130.216.1.33    4       5
TOS     length  ID      flags   offset  TTL     chksum
0       656     50768   2       0       54      45899
Resolved Source
66.252.1.215.hipnotic.org
Resolved Dest railcamp-fw.net.auckland.ac.nz

TCP -------- Source Port Dest Port Seq Ack 6667 2387 718579870 4294267129 Offset Reserved Flags Window Checksum Urgent Ptr 5 0 24 5178 25891 0
Options
--------
None
Flags -------- RB 1 RB 0 URG ACK PSH RST SYN FIN X X

DATA -------- 3A544D442D584443432D :TMD-XDCC- 477561726469616E416E GuardianAn 67656C73323238217E54 gels228!~T 4D444031613335383030 MD@1a35800 352E656337353933612E 5.ec7593a. 656173746C696E6B2E63 eastlink.c 6120505249564D534720 a PRIVMSG 23544D442D4D4F564945 #TMD-MOVIE 5A203A022A2A02203220 Z :.**. 2 7061636B7320022A2A02 packs .**. 202031206F6620322073 1 of 2 s 6C6F7473206F70656E2C lots open, 205265636F72643A2036 Record: 6 312E304B69422F730D0A 1.0KiB/s.. 3A544D442D584443432D :TMD-XDCC- 477561726469616E416E GuardianAn 67656C73323238217E54 gels228!~T 4D444031613335383030 MD@1a35800 352E656337353933612E 5.ec7593a. 656173746C696E6B2E63 eastlink.c 6120505249564D534720 a PRIVMSG 23544D442D4D4F564945 #TMD-MOVIE 5A203A022A2A02204261 Z :.**. Ba 6E647769647468205573 ndwidth Us 61676520022A2A022043 age .**. C 757272656E743A203135 urrent: 15 2E394B69422F732C2052 .9KiB/s, R 65636F72643A2039342E ecord: 94. 314B69422F730D0A3A54 1KiB/s..:T 4D442D584443432D4775 MD-XDCC-Gu 61726469616E416E6765 ardianAnge 6C73323238217E544D44 ls228!~TMD 4031613335383030352E @1a358005. 656337353933612E6561 ec7593a.ea 73746C696E6B2E636120 stlink.ca 505249564D5347202354 PRIVMSG #T 4D442D4D4F5649455A20 MD-MOVIEZ 3A022A2A0220546F2072 :.**. To r 65717565737420612066 equest a f 696C6520747970653A20 ile type: 222F6D736720544D442D "/msg TMD- 584443432D4775617264 XDCC-Guard 69616E416E67656C7332 ianAngels2 32382078646363207365 28 xdcc se 6E642023782220022A2A nd #x" .** 020D0A3A544D442D5844 ...:TMD-XD 43432D47756172646961 CC-Guardia 6E416E67656C73323238 nAngels228 217E544D444031613335 !~TMD@1a35 383030352E6563373539 8005.ec759 33612E656173746C696E 3a.eastlin 6B2E636120505249564D k.ca PRIVM 53472023544D442D4D4F SG #TMD-MO 5649455A203A02233120 VIEZ :.#1 022032353778205B3139 . 257x [19 314D5D20033039205B54 1M] .09 [T 4D445D456C6F6973652E MD]Eloise. 41742E4368726973746D At.Christm 617374696D652E28556E astime.(Un 4B6E6F776E292E445644 Known).DVD 5269702E28316F663229 Rip.(1of2) 2E6176690D0A .avi..

DATA -------- :TMD-XDCC-GuardianAngels228!~TMD@1a358005.ec7593a.eastlink.c a PRIVMSG #TMD-MOVIEZ :.**. 2 packs .**. 1 of 2 slots open, Record: 61.0KiB/s..:TMD-XDCC-GuardianAngels228!~TMD@1a35800 5.ec7593a.eastlink.ca PRIVMSG #TMD-MOVIEZ :.**. Bandwidth Us age .**. Current: 15.9KiB/s, Record: 94.1KiB/s..:TMD-XDCC-Gu ardianAngels228!~TMD@1a358005.ec7593a.eastlink.ca PRIVMSG #T MD-MOVIEZ :.**. To request a file type: "/msg TMD-XDCC-Guard ianAngels228 xdcc send #x" .**...:TMD-XDCC-GuardianAngels228 !~TMD@1a358005.ec7593a.eastlink.ca PRIVMSG #TMD-MOVIEZ :.#1 . 257x [191M] .09 [TMD]Eloise.At.Christmastime.(UnKnown).DVD Rip.(1of2).avi..


--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False +ve for BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buffer Overflow sid:2000329, Russell Fulton Re: [Snort-sigs] False +ve for BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buffer Overflow sid:2000329, Matt Jonkman <=

Previous by Date:	[Snort-sigs] [snort] why disabled "BAD TRAFFIC data in TCP SYN packet" rules on snort v2.3.3 (and before) ?, rmkml
Next by Date:	Re: [Snort-sigs] [snort] why disabled "BAD TRAFFIC data in TCP SYN packet" rules on snort v2.3.3 (and before) ?, Russell Fulton
Previous by Thread:	[Snort-sigs] False +ve for BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buffer Overflow sid:2000329, Russell Fulton
Next by Thread:	[Snort-sigs] [snort] why disabled "BAD TRAFFIC data in TCP SYN packet" rules on snort v2.3.3 (and before) ?, rmkml
Indexes:	[Date] [Thread] [Top] [All Lists]