Can someone help me understand what this rule is looking for?
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl get
shared ciphers overflow attempt"; flow:to_server,established;
flowbits:isnotset,sslv3.server_hello.request;
flowbits:isnotset,sslv2.client_hello.request;
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2;
offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249;
reference:cve,2006-3738;
reference:url,www.openssl.org/news/secadv_20060928.txt;
classtype:attempted-admin; sid:8440; rev:2; )
Here's the relevant bits of the payload:
17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
As I understand it, the packet must have |01 03| at a depth of 2 bytes.
Then, at an offset of two bytes from that a byte_test of the next 2 bytes
should not exceed 256. So that would mean that D6+67 is greater than 256?
Is there a spec somewhere that describes what the header fields refer to?
I'm getting tons of these alerts on what appears to be normal traffic, and
I'd like to know exactly what's going on? RFC 4346 isn't much help. I
don't read geek.
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
p7s3ni9Yq8qFV.p7s
Description: S/MIME cryptographic signature
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
