On 0, Paul Schmehl <pauls@utdallas.edu> wrote:
--On Monday, April 23, 2007 17:25:39 -0400 Nigel Houghton
<nigel@sourcefire.com> wrote:
On 0, Paul Schmehl <pauls@utdallas.edu> wrote:
Can someone help me understand what this rule is looking for?
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl
get shared ciphers overflow attempt"; flow:to_server,established;
flowbits:isnotset,sslv3.server_hello.request;
flowbits:isnotset,sslv2.client_hello.request;
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|";
depth:2; offset:2; byte_test:2, >, 256, 1, relative;
reference:bugtraq,20249; reference:cve,2006-3738;
reference:url,www.openssl.org/news/secadv_20060928.txt;
classtype:attempted-admin; sid:8440; rev:2; )
Here's the relevant bits of the payload:
17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
As I understand it, the packet must have |01 03| at a depth of 2 bytes.
Then, at an offset of two bytes from that a byte_test of the next 2
bytes should not exceed 256. So that would mean that D6+67 is greater
than 256?
The rule is looking for a content of 01 03 at an offset of 2 bytes from
the start of the packet data with a depth of 2 bytes (01 03 is two
bytes). Then it looks at the two bytes following at a distance of 1 byte
from the previous content match to see if the value is greater than 256,
if it is then alert because it may be an attempt to overflow a buffer by
sending too much data.
OK, I muffed that horribly. :-(
At an offset of two bytes, for a depth of two bytes, the content should be
|01 03|, right?
Yes.
Now where the heck is the byte_test? The next two bytes? In that case it
would be |00 BE|, which is not >256, so that can't be right.
No, the byte_test has the form
byte_test:<how many bytes>,<operator>,<size>,<offset>,<optional modifiers>;
So, in this case, check for the content match then byte_test:2,>,256,1,relative
says get two bytes, see if they are bigger than 256 and start 1 byte from the
end of the previous content match (note the relative modifier). Which means,
that you are looking at "BE D6" which is indeed much larger than 256.
I appreciate you pointing to the RFC, but as I said, I don't read geek.
Where can I find something that says something like this:
The first two byes define the version of ssl being used: here are the
possibilities. The next two bytes define X, and here are the possible
values. Etc., etc., etc.
Someone needs to translate the RFCs into English.
Yeah, that would be a good thing :)
I think that the Netscape specs I pointed to are however, very good and
explain SSL communications very well indeed.
--
Nigel Houghton
Office Linebacker
SF VRT
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
