Snort mailing list archives
New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service
From: Willst Mail <willstmail () gmail com>
Date: Thu, 18 Feb 2010 16:57:43 -0500
The latest VRT signatures included rule 16433 "EXPLOIT Microsoft Active Directory LDAP query handling denial of service." It looks to be examining traffic bound for ports 389 or 3268 containing a particular string in the content. I don't recognize the string except that it looks like it might be part of an LDAP OID. It is generating hundreds of alerts per hour destined for LDAP servers (AD and otherwise) from client machines. I have not yet looked at packet captures but my first thought is that these are false positives. Any idea what this rule is really meant to detect and what this string is meant to be? I have not posted the string because I am not sure if the VRT subscription license considers it proprietary until the signature is released into the community release. Latest signatures: http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2010-02-17.html MS bulletin re: LDAP vulnerability: http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0088 Thanks
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service Willst Mail (Feb 18)