Frank de Lange <secf-frankunternet.org> replied to "Grimes, Shawn
(NIA/IRP)" <GrimesShgrc.nia.nih.gov>:

> Looks like part of an image file to me, probably it is just (part of) a .gif or
> .png. ...

It is a PNG. Look at the whole packet dump in Shawn's post --
specifically:

050 : 89 .
060 : 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 PNG........IHDR.
070 : 00 05 41 00 00 01 98 08 03 00 00 00 5B 38 D3 66 ..A.........[8.f
080 : 00 00 00 04 67 41 4D 41 00 00 D9 05 AB B5 EA 94 ....gAMA........
...

Looks like a normal PNG header to me, and dumping from packet offset
05F to end of packet created a file my graphics viewer happily opened
as a PNG file. (I don't know enough about PNG to say whether it is
completely contained in that poacket -- anyone else? -- but I think
PNG was designed to be relatively robust to truncation, so no
complaints from the graphics viewer may not mean much...)

> ... I get these alerts in snort all the time. I view them in the same light
> as the 'x86 shellcode' alert, which pops up every now and then in an image file
> which contains some 'NOP opcodes'.

Yep -- 3-byte signatures are bound to have false alarm issues...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]