Network Security: Detailed info on [Snort-sigs] Likely FPs for WEB-CLIENT Adobe BMP image handler buffer ov

Subject:	[Snort-sigs] Likely FPs for WEB-CLIENT Adobe BMP image handler buffer overflow attempt 13865
Date:	Mon, 28 Jul 2008 11:45:05 +1200

Seeing hundreds of hits from the microsoft site.  Either FPs or the  
site has been hacked...

Russell

META    
SID     CID     TimeStamp       Signature       Sig ID
6       14617219        2008-07-27 13:00:04     WEB-CLIENT Adobe BMP image 
handler  
buffer overflow attempt 13865
Sensor Hostname Sensor Interface
monitor-dmzo.isec.auckland.ac.nz        dmz sensor
IP      
Source Address  Dest Address    Ver     Hdr Len TOS     length  ID      flags   
offset  TTL      
chksum
65.55.16.34     130.216.215.183 4       5       0       1408    32800   0       
0       118     4975
Resolved Source Resolved Dest
c.shapes.office.microsoft.com   trunnion.mech.auckland.ac.nz
TCP     
Source Port     Dest Port       Seq     Ack     Offset  Reserved        Flags   
Window  Checksum         
Urgent Ptr
80      2670    574211411       1140576419      5       0       24      65535   
48056   0
Options
None
Flags
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                       
DATA    

485454502F312E312032

3030204F4B0D0A436F6E

74656E742D4C656E6774

683A20313134360D0A43

6F6E74656E742D547970

653A20696D6167652F62

6D700D0A4C6173742D4D

6F6469666965643A2054

75652C203130204F6374

20323030362032303A31

313A333420474D540D0A

4163636570742D52616E

6765733A206279746573

0D0A455461673A202230

64663636343861386563

6336313A373737220D0A

582D506F77657265642D

42793A204153502E4E45

540D0A446174653A2053

756E2C203237204A756C

20323030382030313A30

303A303420474D540D0A

0D0A424D7A0400000000

00007A00000028000000

20000000200000000100

08000000000000040000

00000000000000001100

00001100000000000000

00008000008000000080

80008000000080008000

80800000C0C0C0008080

80000000FF0000FF0000

00FFFF00FF000000FF00

FF00FFFF0000FFFFFF00

FF00FF00101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10080808080810101010

10101010101010101010

10101010101010101010

10100000000000080808

10101010101010101010

10101010101010101010

10100000070707070700

00080810101010101010

10101010101010101010

10101000070707070707

07070700080810101010

10101010101010101010

10101010000000000707

07070707070700080810

10101010101010101010

10101010100007000707

00000707070707070700

08081010101010101010

10101010101000070700

07070707000007070707

07070008101010101010

10101010101010100007

07000707070707070000

07070707000808101010

10101010101010101000

07070700070707070707

07070000070707000810

10101010101010101010

10000707070007070707

07070707070700000700

08101010101010101010

10101000070707000707

07070707070707070707

00000810101010101010

10101010100007070700

07070707070707070707

00000700081010101010

10101010101010000707

07000707070707070707

00000707070010101010

10101010101010101010

00070700070707070707

00000707070700101010

10101010101010101010

10100007070007070707

00000707070707070010

10101010101010101010

10101010100007000707

00000707070707070700

10101010101010101010

10101010101010100000

00000707070707070707

00101010101010101010

10101010101010101010

10000707070707070707

07001010101010101010

10101010101010101010

10101010000007070707

07000010101010101010

10101010101010101010

10101010101010100000

00000010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

10101010101010101010

1010101010101010


HTTP/1.1 200 OK..Content-Length: 1146..Content-Type: image/b
mp..Last-Modified: Tue, 10 Oct 2006 20:11:34 GMT..Accept-Ran
ges: bytes..ETag: "0df6648a8ecc61:777"..X-Powered-By: ASP.NE
T..Date: Sun, 27 Jul 2008 01:00:04 GMT....BMz.......z...(...
  ... .......................................................
............................................................


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] Likely FPs for WEB-CLIENT Adobe BMP image handler buffer overflow attempt 13865, Russell Fulton <=

Previous by Date:	[Snort-sigs] Emerging Threats Weekly Signature Changes, emerging
Next by Date:	[Snort-sigs] Sourcefire VRT Certified Snort Rules Update, research
Previous by Thread:	Re: [Snort-sigs] Thread hijack to annoy Nigel, Frank Knobbe
Next by Thread:	[Snort-sigs] Crusoe Researches offer new rule for detecting Oracle Bea Weblogic overflow remote cmd, rmkml
Indexes:	[Date] [Thread] [Top] [All Lists]