On 0, Nigel Houghton <nigel@sourcefire.com> wrote:
On 0, Paul Schmehl <pauls@utdallas.edu> wrote:
Can someone help me understand what this rule is looking for?
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl get
shared ciphers overflow attempt"; flow:to_server,established;
flowbits:isnotset,sslv3.server_hello.request;
flowbits:isnotset,sslv2.client_hello.request;
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2;
offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249;
reference:cve,2006-3738;
reference:url,www.openssl.org/news/secadv_20060928.txt;
classtype:attempted-admin; sid:8440; rev:2; )
Here's the relevant bits of the payload:
17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
As I understand it, the packet must have |01 03| at a depth of 2 bytes.
Then, at an offset of two bytes from that a byte_test of the next 2 bytes
should not exceed 256. So that would mean that D6+67 is greater than 256?
I missed a key word in this next paragraph, it is "starting", check the
snort manual for where it goes :)
The rule is looking for a content of 01 03 at an offset of 2 bytes from
the start of the packet data with a depth of 2 bytes (01 03 is two
bytes). Then it looks at the two bytes following at a distance of 1 byte
from the previous content match to see if the value is greater than 256,
if it is then alert because it may be an attempt to overflow a buffer by
sending too much data.
Taking a drink now.
--
Nigel Houghton
Office Linebacker
SF VRT
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
