Snort mailing list archives

Re: Ghost glibc and EXIM rules

From: "lists () packetmail net" <lists () packetmail net>
Date: Thu, 29 Jan 2015 13:12:26 -0600

Lukas, ET has these so hopefully this helps in the interim.  From
http://rules.emergingthreats.net/open/suricata/rules/emerging-exploit.rules

#
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT
CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established;
content:"HELO "; nocase; content:!"|0a|"; within:1024;
pcre:"/^\s*?[\d\x2e]{1023}/R";
reference:url,openwall.com/lists/oss-security/2015/01/27/9;
classtype:attempted-admin; sid:2020325; rev:1;)

#
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT
CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established;
content:"EHLO "; nocase; content:!"|0a|"; within:1024;
pcre:"/^\s*?[\d\x2e]{1023}/R";
reference:url,openwall.com/lists/oss-security/2015/01/27/9;
classtype:attempted-admin; sid:2020326; rev:3;)

Cheers,
Nathan


On 01/29/2015 12:08 PM, Lukas Matt wrote:

Hi,

according to Talos (http://blogs.cisco.com/security/talos/ghost-glibc) they have
two snort rules for the EXIM glibc exploit.

SID 33225 and 33226.

I was not able to find them in the sourcefire tarball.

Will they be included in the next release?

Regards



-- 
Lukas Matt
Deep Packet Inspection Developer, SophosLabs
O: (+49) 721-25516-322 / M: (+49) 174-3440-555
      



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Ghost glibc and EXIM rules Lukas Matt (Jan 29)
- Re: Ghost glibc and EXIM rules lists () packetmail net (Jan 29)
- Re: Ghost glibc and EXIM rules Joel Esler (jesler) (Jan 29)