Fwd: cve-2010-1635 detection

[THG <thehulkguy () gmail com>]

Hi Guys,

I was looking for Signature for CVE-2010-1635 "Samba Flags2 header parsing vulnerability". I didn't find signature for 
it in snort ruleset. 
After reading CVE and stratsec.net advisories on Samba-Multiple-DoS-Vulnerabilities "SS-2010-005", I have attempted to 
write signature for it. 

Could some one please validate the logic. 

alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing - flowbit: set"; flow: 
to_server,established; content:"|FF|SMB|72|"; byte_test:1,<,128,6,relative; flowbits:set,rn.smbd.flags2; 
flowbits:noalert; reference:bugtraq,40097; reference:cve,2010-1635; sid:7538001;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing denial of service attempt 1"; 
flow: to_server,established; content:"|FF|SMB|73|"; byte_test:1,>,127,6,relative; 
flowbits:isset,rn.smbd.flags2;reference:bugtraq,40097,; reference:cve,2010-1635; sid:7538002;)


thanks,
rogue

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!