Re: Fwd: cve-2010-1635 detection

[Balasubramaniam Natarajan <bala150985 () gmail com>]

On Fri, Aug 17, 2012 at 4:17 AM, THG <thehulkguy () gmail com> wrote:

> Hi Guys,
>
> I was looking for Signature for CVE-2010-1635 "Samba Flags2 header parsing
> vulnerability". I didn't find signature for it in snort ruleset.
> After reading CVE and stratsec.net advisories on
> Samba-Multiple-DoS-Vulnerabilities "SS-2010-005", I have attempted to write
> signature for it.
>
> Could some one please validate the logic.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2
> header parsing - flowbit: set"; flow: to_server,established;
> content:"|FF|SMB|72|"; byte_test:1,<,128,6,relative;
> flowbits:set,rn.smbd.flags2; flowbits:noalert; reference:bugtraq,40097;
> reference:cve,2010-1635; sid:7538001;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2
> header parsing denial of service attempt 1"; flow: to_server,established;
> content:"|FF|SMB|73|"; byte_test:1,>,127,6,relative;
> flowbits:isset,rn.smbd.flags2;reference:bugtraq,40097,;
> reference:cve,2010-1635; sid:7538002;)

Why do you have a comma in the references like "cve,2010-1635"  Should it
not be like "CVE-2010-1653" ?

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!