Snort mailing list archives
Re: Explanation of Rule 1:19189:4
From: rmkml <rmkml () yahoo fr>
Date: Tue, 29 Jan 2013 13:50:12 +0100 (CET)
Hi Nicholas, This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt" CVE: The Distributed File System (DFS) implementation in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields in DFS responses, which allows remote DFS servers to execute arbitrary code via a crafted response, aka "DFS Memory Corruption Vulnerability." Please post pcap if you have FP. Best Regards Rmkml On Tue, 29 Jan 2013, Nicholas Horton wrote:
What is important to check with this alert? Does the vulnerability reside on the source or destination and what am I looking for? I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011. Thanksalert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 rmkml (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 rmkml (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 Joel Esler (Jan 29)
- Re: Explanation of Rule 1:19189:4 rmkml (Jan 29)