Snort mailing list archives
Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 26 Jan 2011 14:37:23 +1300
On 01/26/2011 10:56 AM, Alex Kirk wrote:
Those are DLL-load rules, so contemplate the nature of the vulnerability, how an IDS might detect it, and you've got your answer as to what we're probably looking for.
Hmmm. So every prior release of these particular DLLs would be vulnerable, so you couldn't make rules to detect them. You could potentially have a rule to detect the current (fixed) versions, and alert on anything else - but they may be changed next month for all you know, so that's unsustainable too... Yuck - nothing but filenames I guess :-(
That said, particularly in the case of NetBIOS rules - it's good practice not to be loading DLLs across SMB shares anyway. We would actually suggest trying to figure out what's loading DLLs over SMB and eliminating the need to do so if possible.
"Doctor, it hurts when I do this". "Don't do that then". We are not going to be able to change how software installs off CDROM over the network are done, nor are we going to be able to stop people backing up software (we are a software company), so DLLs flowing across the network are going to remain a normal day-to-day occurrence. Whitelisting it is then.
Of course, if you're patched up to current, you should probably just turn these rules off anyway, as you're no longer vulnerable.
Well, we're patched except for the boxes that aren't - same as everyone else here ;-) I'll whitelist "NETBIOS .*MS10-09" - that should do it. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Jason Haar (Jan 25)
- Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Alex Kirk (Jan 25)
- Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Jason Haar (Jan 25)
- Re: masses of FPs with 2.9.0.2 "NETBIOS Windows .* dll" rules Alex Kirk (Jan 25)