Snort mailing list archives
Fwd: cve-2010-1635 detection
From: THG <thehulkguy () gmail com>
Date: Fri, 17 Aug 2012 08:47:11 +1000
Hi Guys, I was looking for Signature for CVE-2010-1635 "Samba Flags2 header parsing vulnerability". I didn't find signature for it in snort ruleset. After reading CVE and stratsec.net advisories on Samba-Multiple-DoS-Vulnerabilities "SS-2010-005", I have attempted to write signature for it. Could some one please validate the logic. alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing - flowbit: set"; flow: to_server,established; content:"|FF|SMB|72|"; byte_test:1,<,128,6,relative; flowbits:set,rn.smbd.flags2; flowbits:noalert; reference:bugtraq,40097; reference:cve,2010-1635; sid:7538001;) alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing denial of service attempt 1"; flow: to_server,established; content:"|FF|SMB|73|"; byte_test:1,>,127,6,relative; flowbits:isset,rn.smbd.flags2;reference:bugtraq,40097,; reference:cve,2010-1635; sid:7538002;) thanks, rogue
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Fwd: cve-2010-1635 detection THG (Aug 16)
- Re: Fwd: cve-2010-1635 detection Balasubramaniam Natarajan (Aug 17)
- Re: Fwd: cve-2010-1635 detection Joel Esler (Aug 17)
- Re: Fwd: cve-2010-1635 detection Balasubramaniam Natarajan (Aug 18)
- Re: Fwd: cve-2010-1635 detection Joel Esler (Aug 17)
- Re: Fwd: cve-2010-1635 detection Balasubramaniam Natarajan (Aug 17)