RE: EXPLOIT SSLv2 Client_Hello with pad Challenge Length overflow a

Here is the info on the rule:

http://www.snort.org/snort-db/sid.html?sid=2657

This affects Netscape Network Security Services (NSS).

So, they probably are false positives if you are not using these services.

Shirkdog

> From: Russell Fulton <r.fulton@xxxxxxxxxxxxxx>
> To: snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> Subject: [Snort-sigs] EXPLOIT SSLv2 Client_Hello with pad Challenge Length 
> overflow attempt: sid 2657
> Date: Tue, 19 Oct 2004 14:19:24 +1300
>
> We are seeing lots of these alerts to various of our SSL servers on
> campus. There are about 160 different sources (mostly local DSL or
> dialup users -- i.e. exactly the users we would expect).
>
> Sample packet data:
>
> 170300010219DD1421A4
>
> 1E22E15D960B352E5291
>
> 5E53096D07688EBFE701
>
> 3B81726BA5740E57C502
>
> C66F9A3136430C19B427
>
> 9C052E25A3CB34412BBE
>
> D89E269669768FC87281
>
> E20DD5D2A287D55DE54D
>
> E7FC45D8B83A7F1EE07F
>
> F4A83F85F07D7F7B2035
>
> 2047FB3E9D6779AC57F8
>
> C4F38948049A0C339822
>
> 707FC42F9C39A847ABBB
>
> 5FA6B9CC589487D789DD
>
> DB0257A72A541F370E02
>
> B0F14C78F3FE2C2D48C0
>
> 77C58FCAF18C36E56A7B
>
> B6623ACE1C0F6FFDF24E
>
> 7F8A971AD92C68A9C6A7
>
> 535460D0EB84C414EFFF
>
> F8668B9A5AF6629D5D06
>
> 57A70282DE3D8FD2FCA6
>
> 8C018F425625B6F1D494
>
> 06AF7B8EBBDBC77425F0
>
> 42979737558081C46F70
>
> 67957B3E9BA029A0DD3E
>
>
>
> ........!.
>
> .".]..5.R.
>
> ^S.m.h....
>
> ;.rk.t.W..
>
> .o.16C...'
>
> ...%..4A+.
>
> ..&.iv..r.
>
> .......].M
>
> ..E..:....
>
> ..?..}.{ 5
>
>  G.>.gy.W.
>
> ...H...3."
>
> p../.9.G..
>
> _...X.....
>
> ..W.*T.7..
>
> ..Lx..,-H.
>
> w.....6.j{
>
> .b:...o..N
>
> .....,h...
>
> ST`.......
>
> .f..Z.b.].
>
> W....=....
>
> ...BV%....
>
> ..{....t%.
>
> B..7U...op
>
> g.{>..)..>
>
>
> --
> Russell Fulton, Information Security Officer, The University of Auckland
> New Zealand
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl