Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
657
Views
0
Helpful
5
Replies

macromedia flash overflow signature

darin.marais
Level 4
Level 4

‎11-14-2005 08:09 AM - edited ‎03-10-2019 01:45 AM

We have had a number of sources within our network trigger an event to notify the security analyst of the recently identified macromedia vulnerability

The signature looks like this

SIGID: 5692 <protected>

SubSig: 0 <protected>

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: high <defaulted>

AlarmThrottle: FireOnce <defaulted>

AlarmTraits:

CapturePacket: False <defaulted>

ChokeThreshold:

Direction: FromService <protected>

Enabled: True <defaulted>

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits: 1 <defaulted>

MinMatchLength:

Protocol: TCP <defaulted>

RegexString: 0 <protected>

ResetAfterIdle: 15 <defaulted>

ServicePorts: #WEBPORTS <defaulted>

SigComment:

SigName: Macromedia Flash Overflow <protected>

SigStringInfo: Macromedia Flash Overflow <defaulted>

SigVersion: S200 <defaulted>

StorageKey: STREAM <defaulted>

StripTelnetOptions:

SummaryKey: Axxx <defaulted>

ThrottleInterval: 15 <defaulted>

WantFrag:

What is the signature looking for?

When it triggers, does this means that it has identified usage of macromedia into the network or has the signature detected an actual exploit?

Labels:
0 Helpful
5 Replies 5

wsulym
Cisco Employee
Cisco Employee

‎11-14-2005 12:12 PM

We've had a couple reports of some false positives regarding this signature. Is there any chance you might be able to provide some additional detail regarding the alerts - I'm looking for detail on websites that by visiting them, you can trigger the alert.

Thanks.

Walter.

0 Helpful

darin.marais
Level 4
Level 4
In response to wsulym

‎11-17-2005 02:32 AM

this is the trigger packet from one alert;

Frame 1 (1518 bytes on wire, 1518 bytes captured)

Arrival Time: Nov 17, 2005 11:04:56.000000000

Time delta from previous packet: 0.000000000 seconds

Time since reference or first frame: 0.000000000 seconds

Frame Number: 1

Packet Length: 1518 bytes

Capture Length: 1518 bytes

Protocols in frame: eth:ip:tcp:http:data

Ethernet II, Src: mac, Dst: mac

Destination: mac (mac)

Source: mac (mac)

Type: IP (0x0800)

Frame check sequence: 0x7055b7b0 (correct)

Internet Protocol, Src Addr: 195.138.47.52 (195.138.47.52), Dst Addr: proxy (proxy)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 1500

Identification: 0x290d (10509)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 53

Protocol: TCP (0x06)

Header checksum: 0x0299 (correct)

Source: 195.138.47.52 (195.138.47.52)

Destination: proxy (proxy)

Transmission Control Protocol, Src Port: http (80), Dst Port: 15737 (15737), Seq: 0, Ack: 0, Len: 1460

Source port: http (80)

Destination port: 15737 (15737)

Sequence number: 0 (relative sequence number)

Next sequence number: 1460 (relative sequence number)

Acknowledgement number: 0 (relative ack number)

Header length: 20 bytes

Flags: 0x0010 (ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 0... = Push: Not set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 65535

Checksum: 0x1511 (correct)

Hypertext Transfer Protocol

Data (1460 bytes)

0 Helpful

jlimbo
Level 1
Level 1
In response to darin.marais

‎11-17-2005 10:48 PM

Hi Darin,

I am the IPS development engineer working on this possible false positive. I need more information to analyse this. Would you be able to send me a pcap traffic sample that is causing this signature to trigger.

Thanks,

Jonathan

0 Helpful

darin.marais
Level 4
Level 4
In response to jlimbo

‎11-18-2005 12:38 AM

hi Jonathan

i will try find that information for you,

1. do you just want the ip logging turned on for the signature?

2. could i send that to you off line?

rgs

darin

0 Helpful

jlimbo
Level 1
Level 1
In response to darin.marais

‎11-19-2005 09:38 PM

Yes, to confirm all I need is the IP Logging turned on for that single signature. Once it triggers and you get the IPlog file please send it to me via email (offline).

If you send me a blank/test e-mail. I can send you my public key so you can encrypt the information.

0 Helpful
Review Cisco Networking for a $25 gift card
Top