New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service

[Willst Mail <willstmail () gmail com>]

The latest VRT signatures included rule 16433 "EXPLOIT Microsoft Active
Directory LDAP query handling denial of service."  It looks to be examining
traffic bound for ports 389 or 3268 containing a particular string in the
content.  I don't recognize the string except that it looks like it might be
part of an LDAP OID.  It is generating hundreds of alerts per hour destined
for LDAP servers (AD and otherwise) from client machines.  I have not yet
looked at packet captures but my first thought is that these are false
positives.  Any idea what this rule is really meant to detect and what this
string is meant to be?  I have not posted the string because I am not sure
if the VRT subscription license considers it proprietary until the signature
is released into the community release.

Latest signatures:
http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2010-02-17.html
MS bulletin re: LDAP vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0088


Thanks

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users