Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Lot of FP [8428 or 8426]

from [Thierry CHICH] Network Security [Permanent Link]
Subject: [Snort-sigs] Lot of FP [8428 or 8426]
Date: Thu, 10 Apr 2008 10:10:10 +0200 
Hi,

I don't know if these rules have been recently changed, but I can see that I 
have a lot of FP with this rule know. The "victim" is a cisco css, and I 
don't believe there such villains in this poor world :-).

WEB-MISC SSLv2 openssl get shared ciphers overflow attempt: 


/etc/snort/rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 443 
(msg:"WEB-MISC SSLv2 openssl get shared ciphers overflow attempt"; 
flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; 
flowbits:isnotset,sslv2.client_hello.request; 
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; 
offset:2; byte_test:2, >, 256, 1, relative; metadata:policy balanced-ips 
drop, policy connectivity-ips drop, policy security-ips drop, service http; 
reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; 
reference:url,www.openssl.org/news/secadv_20060928.txt; 
classtype:attempted-admin; sid:8428; rev:6;)

/etc/snort/rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 443 
(msg:"WEB-MISC SSLv2 openssl get shared ciphers overflow attempt"; 
flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; 
flowbits:isnotset,sslv3.client_hello.request; 
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; 
offset:2; byte_test:2, >, 256, 0, relative; metadata:policy balanced-ips 
drop, policy connectivity-ips drop, policy security-ips drop, service http; 
reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; 
reference:url,www.openssl.org/news/secadv_20060928.txt; 
classtype:attempted-admin; sid:8426; rev:6;)

Other thing. The two rules claim they are detecting a  SSLv2 overflow, but the 
second one is for SSLV3.

-- 
Thierry CHICH
Equipe Réseaux / Rectorat de Clermont-Ferrand
Tel: +33 4 73 99 30 54

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Lot of FP [8428 or 8426], Thierry CHICH <=
Previous by Date:  [Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Next by Date:  [Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Previous by Thread:  Re: [Snort-sigs] [Snort-users] Team0x42 Snort rules, Nigel Houghton
Next by Thread:  Re: [Snort-sigs] Snort-sigs Digest, Vol 23, Issue 3, Ureleet
Indexes:  [Date] [Thread] [Top] [All Lists]