Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Explanation of Rule 1:19189:4

From: Nicholas Horton <fivetenets () me com>
Date: Tue, 29 Jan 2013 08:28:15 -0500
Thanks Rmkml. 

I don't have a pcap at this time but can record one.  What I do have is 2 alerts from 2 different sources going to the 
same destination ip generating this alert.

Sources are windows 2003 server titanium and the destination is a xp pro box.

Both sources seem to already have patch KB2535512 installed. I'm not sure about the destination ip box.

I would like to see who has the vulnerability or where the issues is. For example when I get another netbios alert such 
as 1:14782 (conficker) I'm able to verify with nmap that it has the conficker infection.

So with the new netbios alert is there a possible infection. It lists no know false positives. So if both sources have 
the patch should I check the destination since this rule is flow to client?

I read CVE-2011-1869 but I'm still not sure if this is an issue or not.

I guess I should turn of pcap output along with unified2. I can do both simultaneously right?

Thanks again
Nick

On Jan 29, 2013, at 7:50 AM, rmkml <rmkml () yahoo fr> wrote:


Hi Nicholas,

This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer 
overflow attempt"

CVE:
The Distributed File System (DFS) implementation in Microsoft Windows
XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
in DFS responses, which allows remote DFS servers to execute arbitrary
code via a crafted response, aka "DFS Memory Corruption
Vulnerability."

Please post pcap if you have FP.

Best Regards
Rmkml


On Tue, 29 Jan 2013, Nicholas Horton wrote:


What is important to check with this alert?

Does the vulnerability reside on the source or destination and what am I looking for?

I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.

Thanks


alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response 
PathConsumed integer overflow attempt";

flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; 
depth:5; offset:4;
content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; 
flowbits:unset,smb.trans2.get_dfs_referral;
metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; 
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)




------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: