Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FP on sig 17567

From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 17 Nov 2010 12:05:04 -0500
First off, this is a classic case of "if you're not running the software in
question, you shouldn't be running the rule." Chances are high that not only
do you not have LANDesk in your environment, if you did, it'd be patched by
now against a 3-year-old vulnerability anyway.

That said, as for the rule itself - unfortunately, there's no "fixing" it.
Any large packet sent to that service (which listens on that specific port)
will cause a crash; no setup, headers, etc. are necessary. Generally, we're
not fans of covering vulnerabilities like that. However, in this case we had
a specific request for it, and since it's on a unique UDP port (that, in
most environments, doesn't get a lot of traffic - most clients stick to
lower ports than that), we figured that the false positive rate would be low
enough to stick it out there, and have anyone with issues simply disable it
when it came out. You'll note that it's in no policies by default; I'll make
a point to comment it out as well for those who don't use policies in
open-source land.

On Wed, Nov 17, 2010 at 11:36 AM, Andy Berryman <aberryman () cymtec com>wrote:


SPECIFIC-THREATS LANDesk Management Suite Alerting Service buffer overflow

alert udp $EXTERNAL_NET any -> $HOME_NET 65535

sid:17567; rev:1;





I’m seeing this as a false positive for a couple of our customers. Most
seem to be DNS requests. Source port is 53 on most of them and a couple of
them that I’ve talked to have confirmed they don’t have the software on the
machines.





One is source port 161 dest port 65535 and here’s the packet payload



0        OMFGPonies        (       0  0    +          Cisco IOS Software,
3600 Software (C3640-I-M), Version 12.4(23), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport  Copyright (c)
1986-2008 by Cisco Systems, Inc.  Compiled Sat 08-Nov-08 23:43 by
prod_rel_team



IN HEX:



3082 011d 0201 0004 0a4f 4d46 4750 6f6e 6965 73a2 8201 0a02 0411 ce28 8102
0100 0201 0030 81fb 3081 f806 082b 0601 0201 0101 0004 81eb 4369 7363 6f20
494f 5320 536f 6674 7761 7265 2c20 3336 3030 2053 6f66 7477 6172 6520 2843
3336 3430 2d49 2d4d 292c 2056 6572 7369 6f6e 2031 322e 3428 3233 292c 2052
454c 4541 5345 2053 4f46 5457 4152 4520 2866 6331 290d 0a54 6563 686e 6963
616c 2053 7570 706f 7274 3a20 6874 7470 3a2f 2f77 7777 2e63 6973 636f 2e63
6f6d 2f74 6563 6873 7570 706f 7274 0d0a 436f 7079 7269 6768 7420 2863 2920
3139 3836 2d32 3030 3820 6279 2043 6973 636f 2053 7973 7465 6d73 2c20 496e
632e 0d0a 436f 6d70 696c 6564 2053 6174 2030 382d 4e6f 762d 3038 2032 333a
3433 2062 7920 7072 6f64 5f72 656c 5f74 6561 6d









Thanks,

Andy Berryman
 ------------------------------
 This message from Cymtec Systems, Inc. contains confidential information
and is solely for the use of the recipient(s) named above. If you are not
the intended recipient or an agent responsible for delivering it to the
intended recipient, you are hereby notified that you have received this
message in error and that any review, disclosure, copying, distribution or
use of the contents of this message is strictly prohibited. If you have
received this message in error, please destroy it immediately and notify
Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
 ------------------------------



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: