--On Monday, April 23, 2007 17:25:39 -0400 Nigel Houghton
<nigel@sourcefire.com> wrote:
On 0, Paul Schmehl <pauls@utdallas.edu> wrote:
Can someone help me understand what this rule is looking for?
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl
get shared ciphers overflow attempt"; flow:to_server,established;
flowbits:isnotset,sslv3.server_hello.request;
flowbits:isnotset,sslv2.client_hello.request;
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|";
depth:2; offset:2; byte_test:2, >, 256, 1, relative;
reference:bugtraq,20249; reference:cve,2006-3738;
reference:url,www.openssl.org/news/secadv_20060928.txt;
classtype:attempted-admin; sid:8440; rev:2; )
Here's the relevant bits of the payload:
17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
As I understand it, the packet must have |01 03| at a depth of 2 bytes.
Then, at an offset of two bytes from that a byte_test of the next 2
bytes should not exceed 256. So that would mean that D6+67 is greater
than 256?
The rule is looking for a content of 01 03 at an offset of 2 bytes from
the start of the packet data with a depth of 2 bytes (01 03 is two
bytes). Then it looks at the two bytes following at a distance of 1 byte
from the previous content match to see if the value is greater than 256,
if it is then alert because it may be an attempt to overflow a buffer by
sending too much data.
OK, I muffed that horribly. :-(
At an offset of two bytes, for a depth of two bytes, the content should be
|01 03|, right?
Now where the heck is the byte_test? The next two bytes? In that case it
would be |00 BE|, which is not >256, so that can't be right.
Now I'm thoroughly confused.
I appreciate you pointing to the RFC, but as I said, I don't read geek.
Where can I find something that says something like this:
The first two byes define the version of ssl being used: here are the
possibilities. The next two bytes define X, and here are the possible
values. Etc., etc., etc.
Someone needs to translate the RFCs into English.
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
p7sG3Zw6f7dCS.p7s
Description: S/MIME cryptographic signature
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
