--On Tuesday, April 24, 2007 12:17:38 -0400 Nigel Houghton
<nigel@sourcefire.com> wrote:
On 0, Paul Schmehl <pauls@utdallas.edu> wrote:
--On Monday, April 23, 2007 16:45:18 -0500 Paul Schmehl
<pauls@utdallas.edu> wrote:
Continuing our discussion from yesterday :-), here's another payload
from a packet that tripped SID: 8440.
17 03 01 03 70 B9 5D 7D FD EB DF ED 04 C3 CC A2
70 9C 04 2D 8A 32 FF A7 24 6A D4 85 8D 8D 6A E4
We obviously have a rule match on greater than 256 bytes, but my
question is, what do the fields in the header mean? What are bytes 6 &
7 referring to? What does byte 1, byte 2, etc. refer to? Does anyone
know where I can find a packet header field description that is similar
to the one in the training manual on page 552? (The RPC header
description.)
I'm trying to understand *why* what appear to be legitimate users
checking email is tripping this alert. Is it badly configured clients?
Unpatched clients? Badly designed clients that ignore the protocol?
The bottom line is, why are our users' email clients routinely trying to
overflow a buffer?
ok, here is what an SSL hello packet structure looks like:
Starting at byte 0 in the payload data...
Bytes 0 and 1 == packet length
Byte 2 == Message type
Bytes 3 and 4 == SSL version
Bytes 5 and 6 == cipher spec length
Bytes 7 and 8 == session ID
Bytes 9 and 10 == challenge length
next bunch of bytes are the cipher specs (the number of these can vary)
last bunch of bytes is the challenge
Some packet captures for full sessions would be great if you can send
some along, it would help with my current project :D
Details about what is in use would also be helpful.
OK. Now we're getting somewhere. So, using the packet info I posted (17
03 01 03 70 B9 5D 7D FD EB DF ED 04 C3 CC A2), the packet length would be
|17 03|, message type would be |01|, SSL version would be |03 70|, and
cipher spec length would be |B9 5D|, right?
When you refer to the cipher spec length, are you referring to this (pasted
below) on page 30, section A.2 of the appendices to the SSL spec as posted
at the Netscape site?
struct {
enum { change_cipher_spec(1), (255) } type;
} ChangeCipherSpec
In order to send you packet captures, I first need to identify the hosts
and applications that are triggering these alerts. That might take some
time.
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
p7snjnNwnvYRA.p7s
Description: S/MIME cryptographic signature
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
