Snort mailing list archives
Re: Fwd: cve-2010-1635 detection
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Fri, 17 Aug 2012 13:55:38 +0530
On Fri, Aug 17, 2012 at 4:17 AM, THG <thehulkguy () gmail com> wrote:
Hi Guys, I was looking for Signature for CVE-2010-1635 "Samba Flags2 header parsing vulnerability". I didn't find signature for it in snort ruleset. After reading CVE and stratsec.net advisories on Samba-Multiple-DoS-Vulnerabilities "SS-2010-005", I have attempted to write signature for it. Could some one please validate the logic. alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing - flowbit: set"; flow: to_server,established; content:"|FF|SMB|72|"; byte_test:1,<,128,6,relative; flowbits:set,rn.smbd.flags2; flowbits:noalert; reference:bugtraq,40097; reference:cve,2010-1635; sid:7538001;) alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing denial of service attempt 1"; flow: to_server,established; content:"|FF|SMB|73|"; byte_test:1,>,127,6,relative; flowbits:isset,rn.smbd.flags2;reference:bugtraq,40097,; reference:cve,2010-1635; sid:7538002;)
Why do you have a comma in the references like "cve,2010-1635" Should it not be like "CVE-2010-1653" ? -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Fwd: cve-2010-1635 detection THG (Aug 16)
- Re: Fwd: cve-2010-1635 detection Balasubramaniam Natarajan (Aug 17)
- Re: Fwd: cve-2010-1635 detection Joel Esler (Aug 17)
- Re: Fwd: cve-2010-1635 detection Balasubramaniam Natarajan (Aug 18)
- Re: Fwd: cve-2010-1635 detection Joel Esler (Aug 17)
- Re: Fwd: cve-2010-1635 detection Balasubramaniam Natarajan (Aug 17)