Security Incidents mailing list archives

IDS signatures for PROTOS SNMP tests

From: Tina Bird <tbird () precision-guesswork com>
Date: Thu, 14 Feb 2002 22:55:57 -0600 (CST)

Here's what I've been able to collect from
the IDS community:

The Snort community has created several rules
specific to the malformed packets created within
the PROTOS suite.  The specifics are on line at:

http://www.geocrawler.com/lists/3/SourceForge/6752/0/7840200/

------------------------------------------------
Cisco Secure Intrusion Detection System (NetRanger): Specific signatures 
are available to detect the PROTOS tool suite, but the signature IDs have 
not yet been released to the public. NetRanger is known to be vulnerable 
to the SNMP issues; see Cisco's advisory for more information and the 
appropriate Defect ID and intended first fixed releases. 

http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml#noniossw

The current signature set available for the Cisco IDS is
dated 14 February, but not does specifically mention the
PROTOS test suite in its release notes.
----------------------------------------------
Enterasys Dragon: 5 new rules created and submitted to database: 
SNMP:TRAP-FMT-STRING, SNMP:TRAP-FMT-NUMBER, SNMP:BUFFER-TEST, 
SNMP:GET-FMT-NUMBER, SNMP:GET-FMT-STRING.  New signatures
are available at

https://dragon.enterasys.com/sig-maint/index.html

Dragon Sensor and Dragon Squire are also both vulnerable
to the SNMP bugs.  Updated versions of Dragon Squire are 
available for registered customers at 

https://dragon.enterasys.com/dragon5-fixes/index.html

Updates for Dragon Sensor will be released shortly.
-------------------------------------------
Network Flight Recorder's Rapid Response Team

NFR is not vulnerable to the SNMP bugs.  New 
signatures are available for registered customers
at 

http://support.nfr.net
------------------------------------------- 

ISS has released generic signatures for RealSecure and BlackICE that will 
detect SNMP traffic, but do not appear to be specific for the PROTOS tool: 

http://gtoc.iss.net/snmpalert.pdf
http://www.iss.net/security_center/alerts/advise110.php

In environments where SNMP is used for system
management and monitoring, these signatures will
create a large number of false positives.

According to the ISS Web site, they will be releasing
signatures that are specific to the PROTOS test suite
shortly.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

IDS signatures for PROTOS SNMP tests Tina Bird (Feb 15)
- <Possible follow-ups>
- RE: IDS signatures for PROTOS SNMP tests Russell Siverland-Bishop (Feb 15)