Hello All,
Recently we here at the Sourcefire VRT have received some false positive
reports for SID 3017, which deals with a WINS replication attack. We've
done some research into the matter, and we have a possible new rule that
we think eliminates (or at least greatly reduces) those false positives.
Since we don't run a large WINS operation here, we're hoping we can get
some volunteers who do have such a setup to test this new rule for us.
We would request that anyone testing this that gets alerts send us the
Windows version and service pack level of the sender & recipient of the
packet, since that information is relevant for proving or disproving the
theory behind this rule.
The proposed rule is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow
attempt"; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6;
byte_test:1,&,8,6;
pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00\x63-\x65]|\x02\x68\x05\xC0)/s";
reference:url,www.immunitysec.com/downloads/instantanea.pdf;
reference:cve,2004-1080; reference:bugtraq,11763; classtype:misc-attack;
sid:3017; rev:3;)
Thank you in advance to any volunteers. Please contact me directly
off-list if you are interested.
Alex Kirk
Research Analyst
Sourcefire, Inc.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
