Holiday Stream - BOOO TO YOU!
Moderator: Moderators
-
- Submarine Voyage Captain
- Posts: 10954
- Joined: Sep Sun 06, 2009 8:53 am
- Location: 76 Totters Lane
-
- Santa Fe & Disneyland Railroad Engineer
- Posts: 2153
- Joined: Jun Mon 28, 2004 11:50 am
- Location: Winter Springs, FL
- Contact:
Joe,jgarmer wrote:Its possible the host streaming system on a fios network has a exploit on it that is attacking VLC and MPlayer media Players I'm still looking into it. made our intrusion detection system (SNORT) go ape S--t. I have played other streams from this site at work without any issues but this seems to be a redirect to a different source. joe
Can you forward that to jcodirewolf. He is running that stream.
Thanks
Rich
"It's kind of fun to do the impossible.."
Walt Disney
[img]http://www.rdeacon.com/img/banners/bar/SR_admin_adv.jpg[/img]
[img]http://rdeacon.com/img/banners/bar/SR_monkey_adv.jpg[/img]
Walt Disney
[img]http://www.rdeacon.com/img/banners/bar/SR_admin_adv.jpg[/img]
[img]http://rdeacon.com/img/banners/bar/SR_monkey_adv.jpg[/img]
-
- Peter Pan's Flight Pixie Duster
- Posts: 555
- Joined: Mar Tue 20, 2007 9:44 am
- Location: Our Fair City Boston MA
So based on what you posted. It was snort rule 15436 that was hit.
I'm not sure what rules database you are using but the "standard" database says that rule is ....
15436 <-> EXPLOIT IBM Tivoli Storage Manager Express Backup counter heap corruption attempt (exploit.rules, High)
I won't have time today to look into it more. But if you can verify based on your rule set what "exploit" your IDS system thinks is being hit, that would be huge. But on the quick once over, it appears to be a hash collision, and not a real attack.
Update:
Unless the OP has some additional data. This whole thread seems to be a false alarm.
Snort Rule 15436, in the public rule set refers to the following issue. (I had to download the current rules since the OP failed to post the links describing the problem.)
http://www.securityfocus.com/bid/34077
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-4563
http://www-01.ibm.com/support/docview.w ... wg21377388
Which is enough for me to call this closed.
Looking at all three postings it appears there isn't even an exploit for the problem, it's just a known buffer overflow in TSM. And it's been fixed since since March of this year.
johno
I'm not sure what rules database you are using but the "standard" database says that rule is ....
15436 <-> EXPLOIT IBM Tivoli Storage Manager Express Backup counter heap corruption attempt (exploit.rules, High)
I won't have time today to look into it more. But if you can verify based on your rule set what "exploit" your IDS system thinks is being hit, that would be huge. But on the quick once over, it appears to be a hash collision, and not a real attack.
Update:
Unless the OP has some additional data. This whole thread seems to be a false alarm.
Snort Rule 15436, in the public rule set refers to the following issue. (I had to download the current rules since the OP failed to post the links describing the problem.)
http://www.securityfocus.com/bid/34077
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-4563
http://www-01.ibm.com/support/docview.w ... wg21377388
Which is enough for me to call this closed.
Looking at all three postings it appears there isn't even an exploit for the problem, it's just a known buffer overflow in TSM. And it's been fixed since since March of this year.
johno
Last edited by jcodirewolf on Oct Mon 12, 2009 1:30 pm, edited 1 time in total.
[color=red]Updated![/color] For 2008 - [url=http://www.direwolf.com/Dreams/]Million Dreams Postcard Generator[/url]
-
- Peter Pan's Flight Pixie Duster
- Posts: 555
- Joined: Mar Tue 20, 2007 9:44 am
- Location: Our Fair City Boston MA
So the as simple english as I can muster summary is.mindflipper wrote:I'm glad all of that made sense to someone....
can we get a plain english translation of all that?
Someone (Joe?) has an Intrusion Dectection System (IDS). It's basically a big pattern matching engine. Looking for patterns of either packets or contents of packets which indicate someone has or is trying to break into your equipment (or infect it or whatever...)
His IDS saw something that it says this is matching a pattern I know about and he posted here.
I went and looked up the pattern based on the information he provided. Unless I looked up the wrong pattern/rule. It's an attack against an IBM product called Tivoli Storage Manager, and the attack is not launched for a MP3 stream.
So it's simply a collision between his rules and what happens to be in the stream. A collision in this case means bad guy pattern happens to match a non-bad pattern. There is a real art to writing the patterns, so they match what you are looking for but not so much other stuff that your IDS goes off all the time, but you don't want to set the pattern so tight that all a bad guy has to do is put one random byte at the end of the packet so it no longer matches.
Is that simple/plain enough?
I will try to keep an eye on this thread.
johno
[color=red]Updated![/color] For 2008 - [url=http://www.direwolf.com/Dreams/]Million Dreams Postcard Generator[/url]
-
- Submarine Voyage Captain
- Posts: 6842
- Joined: Jun Sun 25, 2006 12:11 pm
- Location: Chattanooga Tn
- Contact:
Now that's a very good explanation of something that can get very complicated.
Last edited by Jacca5660 on Oct Mon 12, 2009 2:11 pm, edited 1 time in total.
"Our dreams can come true - if we have the courage to pursue them" WED
"There's a fine prow on that steamer, let's climb aboard her!" Fireside
"You're off the map mateys..Here there be SeaMonsters!!"
The original "LICENSE MAYHEM MARAUDER!!
"There's a fine prow on that steamer, let's climb aboard her!" Fireside
"You're off the map mateys..Here there be SeaMonsters!!"
The original "LICENSE MAYHEM MARAUDER!!
-
- Peter Pan's Flight Pixie Duster
- Posts: 555
- Joined: Mar Tue 20, 2007 9:44 am
- Location: Our Fair City Boston MA
Thank you.Jacca5660 wrote:Now that's a very good explanation or something that can get very complicated.
Go Gators...
You going to ride in the century in 2 weeks?
http://gccfla.org/gcf/
johno
[color=red]Updated![/color] For 2008 - [url=http://www.direwolf.com/Dreams/]Million Dreams Postcard Generator[/url]
-
- Flight to the Moon Flight Director
- Posts: 1199
- Joined: Oct Fri 21, 2005 9:04 pm
- Location: Penny Arcade, Main Street USA
It's a bit late now, but next year it'd be great to hear Tower of Terror tracks (including lobby) and Haunted Mansion Holiday on this station!
I've loved hearing Haunted Mansion tracks from other parks (is that Tokyo?! Wish I could go there!) and all the other spooky fun!
I've loved hearing Haunted Mansion tracks from other parks (is that Tokyo?! Wish I could go there!) and all the other spooky fun!
Drop another coin in slot and I will tell you more.
-
- Peter Pan's Flight Pixie Duster
- Posts: 555
- Joined: Mar Tue 20, 2007 9:44 am
- Location: Our Fair City Boston MA
...and do you know if it will have some of the new Christmas track additions (i.e. the Wilderness Lodge Christmas area loop)?natatomic wrote:Do you have a date set for when the Holiday stream will switch from Halloween to Christmas?
"Dogs are our link to paradise. They don't know evil or jealousy or discontent. To sit with a dog on a hillside on a glorious afternoon is to be back in Eden, where doing nothing was not boring - it was peace." ~ Milan Kundera
-
- Submarine Voyage Captain
- Posts: 10954
- Joined: Sep Sun 06, 2009 8:53 am
- Location: 76 Totters Lane
Ditto. It was a simple inquiry, not a request.natatomic wrote:^Aw, well I wasn't demanding (or even asking!) FOR it to be changed. I was simply curious as to when!
"Dogs are our link to paradise. They don't know evil or jealousy or discontent. To sit with a dog on a hillside on a glorious afternoon is to be back in Eden, where doing nothing was not boring - it was peace." ~ Milan Kundera