Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

macromedia flash overflow signature

We have had a number of sources within our network trigger an event to notify the security analyst of the recently identified macromedia vulnerability

The signature looks like this

SIGID: 5692 <protected>

SubSig: 0 <protected>

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: high <defaulted>

AlarmThrottle: FireOnce <defaulted>

AlarmTraits:

CapturePacket: False <defaulted>

ChokeThreshold:

Direction: FromService <protected>

Enabled: True <defaulted>

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits: 1 <defaulted>

MinMatchLength:

Protocol: TCP <defaulted>

RegexString: 0 <protected>

ResetAfterIdle: 15 <defaulted>

ServicePorts: #WEBPORTS <defaulted>

SigComment:

SigName: Macromedia Flash Overflow <protected>

SigStringInfo: Macromedia Flash Overflow <defaulted>

SigVersion: S200 <defaulted>

StorageKey: STREAM <defaulted>

StripTelnetOptions:

SummaryKey: Axxx <defaulted>

ThrottleInterval: 15 <defaulted>

WantFrag:

What is the signature looking for?

When it triggers, does this means that it has identified usage of macromedia into the network or has the signature detected an actual exploit?

5 REPLIES
Cisco Employee

Re: macromedia flash overflow signature

We've had a couple reports of some false positives regarding this signature. Is there any chance you might be able to provide some additional detail regarding the alerts - I'm looking for detail on websites that by visiting them, you can trigger the alert.

Thanks.

Walter.

New Member

Re: macromedia flash overflow signature

this is the trigger packet from one alert;

Frame 1 (1518 bytes on wire, 1518 bytes captured)

Arrival Time: Nov 17, 2005 11:04:56.000000000

Time delta from previous packet: 0.000000000 seconds

Time since reference or first frame: 0.000000000 seconds

Frame Number: 1

Packet Length: 1518 bytes

Capture Length: 1518 bytes

Protocols in frame: eth:ip:tcp:http:data

Ethernet II, Src: mac, Dst: mac

Destination: mac (mac)

Source: mac (mac)

Type: IP (0x0800)

Frame check sequence: 0x7055b7b0 (correct)

Internet Protocol, Src Addr: 195.138.47.52 (195.138.47.52), Dst Addr: proxy (proxy)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 1500

Identification: 0x290d (10509)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 53

Protocol: TCP (0x06)

Header checksum: 0x0299 (correct)

Source: 195.138.47.52 (195.138.47.52)

Destination: proxy (proxy)

Transmission Control Protocol, Src Port: http (80), Dst Port: 15737 (15737), Seq: 0, Ack: 0, Len: 1460

Source port: http (80)

Destination port: 15737 (15737)

Sequence number: 0 (relative sequence number)

Next sequence number: 1460 (relative sequence number)

Acknowledgement number: 0 (relative ack number)

Header length: 20 bytes

Flags: 0x0010 (ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 0... = Push: Not set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 65535

Checksum: 0x1511 (correct)

Hypertext Transfer Protocol

Data (1460 bytes)

New Member

Re: macromedia flash overflow signature

Hi Darin,

I am the IPS development engineer working on this possible false positive. I need more information to analyse this. Would you be able to send me a pcap traffic sample that is causing this signature to trigger.

Thanks,

Jonathan

New Member

Re: macromedia flash overflow signature

hi Jonathan

i will try find that information for you,

1. do you just want the ip logging turned on for the signature?

2. could i send that to you off line?

rgs

darin

New Member

Re: macromedia flash overflow signature

Yes, to confirm all I need is the IP Logging turned on for that single signature. Once it triggers and you get the IPlog file please send it to me via email (offline).

If you send me a blank/test e-mail. I can send you my public key so you can encrypt the information.

161
Views
0
Helpful
5
Replies
CreatePlease login to create content