|Main Archive Page > Month Archives > snort-users archives|
you can ascertain this by asking yourself some simple questions:
Answer both of those and You'll find the answer...
1:13318: Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6402.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client, established; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26773; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:2;)
On Wed, Mar 25, 2009 at 4:44 PM, Jefferson, Shawn < Shawn.Jefferson@bcferries.com> wrote:
> I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt
> buffer overflow attempt (1:13318), and Iím thinking this is a false
> positive. The snort page for the alert doesnít list any known false
> Some of the payload info:
> HTTP/1.1 200 OK
> Date: Wed, 25 Mar 2009 20:51:54 GMT
> Server: Apache/1.3.41.fb2
> Expires: Mon, 26 Jul 1997 05:00:00 GMT
> Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0,
> Pragma: no-cache
> P3P: CP="HONK"
> Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com
> Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com; httponly
> X-Cnection: close
> Transfer-Encoding: chunked
> Content-Encoding: gzip
> The reason I think it may be a false positive, is the fact that this
> triggered by JPEGs, and Iíve always assumed they were false positives, but I
> wanted to run it by all you because I could be missing something!
> Also, if this is a false positive, how do I go about helping fill out the
> snort alert DB on the website?
> Snort-users mailing list
> Go to this URL to change user options or unsubscribe:
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: