Snort mailing list archives
Re: SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt
From: Nick Randolph <drandolph () sourcefire com>
Date: Mon, 23 Jan 2017 09:50:42 -0500
Charlie, We released an update on Friday that included a revision to this rule. Can you let us know if you are still having FP issues? On Fri, Jan 20, 2017 at 12:54 PM, Charlie Dyer <charlierwdyer () gmail com> wrote:
I won't be able to do that but below is a small subset of URLs that triggered the alerts. Presumably the browser requesting these files means these alerts aren't anything to worry about, as the related CVEs are to do with Acrobat Reader and Acrobat DC right? www.minitorque.com/forum/customavatars/avatar7001_1.gif disclaimer.akbank.com/images/disclaimer19.jpg www.metoffice.gov.uk/media/image/0/q/surfacepressurechart.jpg On Fri, Jan 20, 2017 at 5:35 PM, Al Lewis (allewi) <allewi () cisco com> wrote:Hello Charlie, Do you have a pcap of the traffic that produced some of these false positives? Thanks. *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Charlie Dyer <charlierwdyer () gmail com> Date: Friday, January 20, 2017 at 12:07 PM To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> Subject: [Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt Hi list The number of false positives these two rules produce is huge! Has anyone else seen the same or amended the rule to be a bit more specific to the exploit,i.e. user agent is Acrobat Reader or something so it's a bit more specific. Any thoughts gratefully received Charlie------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt Charlie Dyer (Jan 20)
- Re: SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt Nick Randolph (Jan 20)
- Re: SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt Al Lewis (allewi) (Jan 20)
- Re: SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt Charlie Dyer (Jan 20)
- Re: SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt Nick Randolph (Jan 23)
- Re: SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt Charlie Dyer (Jan 20)