Re: Rule Submit: Apple Quicktime RTSP Overflow: msg#00146 security.ids.snort.bleedingsnort

Correction:
Those rules should contain isdataat:400,relative; to guarantee it wasn't a short packet.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|22|"; distance:0; within:400; reference:cve,2007-0015; classtype:attempted-admin; sid:2003???; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|27|"; distance:0; within:400; reference:cve,2007-0015; classtype:attempted-admin; sid:2003???; rev:1; )

-Blake

Blake Hartstein wrote:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; content:!"|0a|"; distance:0; within:400; content:!"|22|"; distance:0; within:400; reference:cve,2007-0015; classtype:attempted-admin; sid:2003???; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; content:!"|0a|"; distance:0; within:400; content:!"|27|"; distance:0; within:400; reference:cve,2007-0015; classtype:attempted-admin; sid:2003???; rev:1; )

-Blake

--
This email and any files transmitted with it are solely intended for the use of
the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete it
and destroy any copies immediately. Demarc Security, Inc. does not accept
liability for the views expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.

bhartstein.vcf
Description: Vcard

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

Previous by Date:	RE: New sig for unknown bot: 00146, Raitz, Alex
Next by Date:	Rule Submit: Apple Quicktime RTSP Overflow: 00146, Blake Hartstein
Previous by Thread:	Edonkey Sigsi: 00146, Matt Jonkman
Next by Thread:	Rule Submit: Apple Quicktime RTSP Overflow: 00146, Blake Hartstein
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>