Frank de Lange <secf-frankat_private> replied to "Grimes, Shawn (NIA/IRP)" <GrimesShat_private>: > Looks like part of an image file to me, probably it is just (part of) a .gif or > .png. ... It is a PNG. Look at the whole packet dump in Shawn's post -- specifically: 050 : 89 . 060 : 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 PNG........IHDR. 070 : 00 05 41 00 00 01 98 08 03 00 00 00 5B 38 D3 66 ..A.........[8.f 080 : 00 00 00 04 67 41 4D 41 00 00 D9 05 AB B5 EA 94 ....gAMA........ ... Looks like a normal PNG header to me, and dumping from packet offset 05F to end of packet created a file my graphics viewer happily opened as a PNG file. (I don't know enough about PNG to say whether it is completely contained in that poacket -- anyone else? -- but I think PNG was designed to be relatively robust to truncation, so no complaints from the graphics viewer may not mean much...) > ... I get these alerts in snort all the time. I view them in the same light > as the 'x86 shellcode' alert, which pops up every now and then in an image file > which contains some 'NOP opcodes'. Yep -- 3-byte signatures are bound to have false alarm issues... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 16:47:24 PST