Re: Odd string in packet...

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Fri Jan 25 2002 - 16:43:03 PST

  • Next message: Sebastian Ip: "DDoS help!"

    Frank de Lange <secf-frankat_private> replied to "Grimes, Shawn 
    (NIA/IRP)" <GrimesShat_private>:
    
    > Looks like part of an image file to me, probably it is just (part of) a .gif or
    > .png.  ...
    
    It is a PNG.  Look at the whole packet dump in Shawn's post --
    specifically:
    
    050 :                                              89                  .
    060 : 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00   PNG........IHDR.
    070 : 00 05 41 00 00 01 98 08 03 00 00 00 5B 38 D3 66   ..A.........[8.f
    080 : 00 00 00 04 67 41 4D 41 00 00 D9 05 AB B5 EA 94   ....gAMA........
    ...
    
    Looks like a normal PNG header to me, and dumping from packet offset
    05F to end of packet created a file my graphics viewer happily opened 
    as a PNG file.  (I don't know enough about PNG to say whether it is 
    completely contained in that poacket -- anyone else? -- but I think 
    PNG was designed to be relatively robust to truncation, so no 
    complaints from the graphics viewer may not mean much...)
    
    > ... I get these alerts in snort all the time. I view them in the same light
    > as the 'x86 shellcode' alert, which pops up every now and then in an image file
    > which contains some 'NOP opcodes'.
    
    Yep -- 3-byte signatures are bound to have false alarm issues...
    
    
    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 16:47:24 PST