Re: SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt

["Al Lewis (allewi)" <allewi () cisco com>]

Hello Charlie,

Do you have a pcap of the traffic that produced some of these false positives?


Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Charlie Dyer <charlierwdyer () gmail com<mailto:charlierwdyer () gmail com>>
Date: Friday, January 20, 2017 at 12:07 PM
To: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge 
net<mailto:snort-sigs () lists sourceforge net>>
Subject: [Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds 
memory access attempt

Hi list

The number of false positives these two rules produce is huge!
Has anyone else seen the same or amended the rule to be a bit more specific to the exploit,i.e. user agent is Acrobat 
Reader or something so it's a bit more specific.

Any thoughts gratefully received

Charlie

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!