Snort mailing list archives
Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 25 Jan 2011 16:56:13 -0500
Those are DLL-load rules, so contemplate the nature of the vulnerability, how an IDS might detect it, and you've got your answer as to what we're probably looking for. That said, particularly in the case of NetBIOS rules - it's good practice not to be loading DLLs across SMB shares anyway. We would actually suggest trying to figure out what's loading DLLs over SMB and eliminating the need to do so if possible. Of course, if you're patched up to current, you should probably just turn these rules off anyway, as you're no longer vulnerable. On Tue, Jan 25, 2011 at 4:16 PM, Jason Haar <Jason.Haar () trimble co nz>wrote:
Hi there A couple of days ago, we rolled out the current Registered User 2.9.0.2 rules, and we're triggering a range of DLL-related NETBIOS rules, on normal file transfers, Office installs (I think) and backups. eg NETBIOS pptimpconv.dll access NETBIOS Windows Address Book smmscrpt.dll malicious DLL load NETBIOS Windows Address Book wab32res.dll malicious DLL load NETBIOS Windows Address Book msoeres32.dll malicious DLL load NETBIOS Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt WEB-CLIENT Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt As these rules are all "metadata: engine shared", I can't tell what's going on, but the packet capture seems to show the associated filenames, so are these rules simply triggering whenever these files are seen? If so, they are going to generate a mess of FPs for lots of people... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Jason Haar (Jan 25)
- Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Alex Kirk (Jan 25)
- Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Jason Haar (Jan 25)
- Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Alex Kirk (Jan 25)