Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 26 Jan 2011 14:37:23 +1300
On 01/26/2011 10:56 AM, Alex Kirk wrote:

Those are DLL-load rules, so contemplate the nature of the
vulnerability, how an IDS might detect it, and you've got your answer
as to what we're probably looking for.


Hmmm. So every prior release of these particular DLLs would be
vulnerable, so you couldn't make rules to detect them. You could
potentially have a rule to detect the current (fixed) versions, and
alert on anything else - but they may be changed next month for all you
know, so that's unsustainable too...

Yuck - nothing but filenames I guess :-(


That said, particularly in the case of NetBIOS rules - it's good
practice not to be loading DLLs across SMB shares anyway. We would
actually suggest trying to figure out what's loading DLLs over SMB and
eliminating the need to do so if possible.


"Doctor, it hurts when I do this".
"Don't do that then".

We are not going to be able to change how software installs off CDROM
over the network are done, nor are we going to be able to stop people
backing up software (we are a software company), so DLLs flowing across
the network are going to remain a normal day-to-day occurrence.
Whitelisting it is then.


Of course, if you're patched up to current, you should probably just
turn these rules off anyway, as you're no longer vulnerable.


Well, we're patched except for the boxes that aren't - same as everyone
else here ;-)

I'll whitelist "NETBIOS .*MS10-09" - that should do it. Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: