Snort mailing list archives
Re: New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service
From: Alex Kirk <akirk () sourcefire com>
Date: Fri, 19 Feb 2010 10:09:00 -0500
Willst, Thanks for the report. We're investigating a fix now, and will release one as soon as feasible. We'll let you know once the fix has gone out. On Thu, Feb 18, 2010 at 4:57 PM, Willst Mail <willstmail () gmail com> wrote:
The latest VRT signatures included rule 16433 "EXPLOIT Microsoft Active Directory LDAP query handling denial of service." It looks to be examining traffic bound for ports 389 or 3268 containing a particular string in the content. I don't recognize the string except that it looks like it might be part of an LDAP OID. It is generating hundreds of alerts per hour destined for LDAP servers (AD and otherwise) from client machines. I have not yet looked at packet captures but my first thought is that these are false positives. Any idea what this rule is really meant to detect and what this string is meant to be? I have not posted the string because I am not sure if the VRT subscription license considers it proprietary until the signature is released into the community release. Latest signatures: http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2010-02-17.html MS bulletin re: LDAP vulnerability: http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0088 Thanks ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service Willst Mail (Feb 18)
- Re: New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service Alex Kirk (Feb 19)