Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Sourcefire VRT Update for Zotob Worm

from [Nigel Houghton] Network Security [Permanent Link]
Subject: [Snort-sigs] Sourcefire VRT Update for Zotob Worm
Date: Mon, 15 Aug 2005 20:31:53 -0500 
Sourcefire VRT Update for Zotob Worm

Update: 2005-08-15

The Sourcefire Vulnerability Research Team (VRT) is continuing to
investigate the Zotob worm and associated Microsoft PnP Vulnerability.
The VRT released rules  on August 12th, 2005 that detect all attempts to
exploit  this vulnerability. These rules are identified as sids 3828
through 4125. The  Zotob worm will alert on SID 3999. Inline users may
wish to set this rule to 'drop' for added protection.

To ensure detection/prevention of all variants of the worm and
additional potential attack vectors, the VRT recommends using Snort
v2.3.3 or higher. This will ensure the latest detection capabilities are
being utilized. In addition, Snort v2.3.3 uses are advised to make the
following configuration change to snort.conf.

Add ports 139 and 445 to the TCP reassembly configuration.

1. Open the snort.conf file in a text editor
2. Move to the line containing "preprocessor stream4_reassemble"
3. Replace the line with the following (ensure it is all on one line):
   preprocessor stream4_reassemble: clientonly, ports 21 23 25 53 80 110 111 
139 143 445 513 1433
4. Save the configuration
5. Restart Snort

This configuration change is required regardless of the rules being used
to detect attacks against the PnP vulnerability. Snort users running
Snort version 2.4 and later need not make this change unless they have
specified ports to reassemble in the snort.conf already. In this case,
make sure the ports 139 and 445 are added to the list.

Snort users should note that rules written specifically to detect the
currently known variants of Zotob may be evaded with each subsequent
variation and will be prone to an increased false positive threshold.
The Sourcefire VRT rules use the advanced capabilities of current
versions of snort to nullify the evasion attempts of attack vector
variants.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Sourcefire VRT Update for Zotob Worm, Nigel Houghton <=
Previous by Date:  [Snort-sigs] duplicate packets checking, Igor Belikov
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-sigs] duplicate packets checking, Igor Belikov
Next by Thread:  [Snort-sigs] snort not detect messenger spam ? (snort240b18+snortrules24), rmkml
Indexes:  [Date] [Thread] [Top] [All Lists]