Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules

[Alex Kirk <akirk () sourcefire com>]

Those are DLL-load rules, so contemplate the nature of the vulnerability,
how an IDS might detect it, and you've got your answer as to what we're
probably looking for.

That said, particularly in the case of NetBIOS rules - it's good practice
not to be loading DLLs across SMB shares anyway. We would actually suggest
trying to figure out what's loading DLLs over SMB and eliminating the need
to do so if possible.

Of course, if you're patched up to current, you should probably just turn
these rules off anyway, as you're no longer vulnerable.

On Tue, Jan 25, 2011 at 4:16 PM, Jason Haar <Jason.Haar () trimble co nz>wrote:

> Hi there
>
> A couple of days ago, we rolled out the current Registered User 2.9.0.2
> rules, and we're triggering a range of DLL-related NETBIOS rules, on
> normal file transfers, Office installs (I think) and backups.
>
> eg
>
> NETBIOS pptimpconv.dll access
> NETBIOS Windows Address Book smmscrpt.dll malicious DLL load
> NETBIOS Windows Address Book wab32res.dll malicious DLL load
> NETBIOS Windows Address Book msoeres32.dll malicious DLL load
> NETBIOS Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt
> WEB-CLIENT Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt
>
>
> As these rules are all "metadata: engine shared", I can't tell what's
> going on, but the packet capture seems to show the associated filenames,
> so are these rules simply triggering whenever these files are seen? If
> so, they are going to generate a mess of FPs for lots of people...
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users