Snort mailing list archives
Re: Explanation of Rule 1:19189:4
From: rmkml <rmkml () yahoo fr>
Date: Tue, 29 Jan 2013 16:32:08 +0100 (CET)
Thx for reply, How long time have you enabled this rule (sid19189) please? It's first time this rule fire please? If IP src and dst are trust, certainly a FP: -maybe fix FP -or simply exclude IP on this rule -or disable this rule The best is start a network capture like tcpdump on snort sensor please (bpf filter like two IP and netbios ports). Best Regards Rmkml On Tue, 29 Jan 2013, Nicholas Horton wrote:
Thanks Rmkml. I don't have a pcap at this time but can record one. What I do have is 2 alerts from 2 different sources going to the same destination ip generating this alert. Sources are windows 2003 server titanium and the destination is a xp pro box. Both sources seem to already have patch KB2535512 installed. I'm not sure about the destination ip box. I would like to see who has the vulnerability or where the issues is. For example when I get another netbios alert such as 1:14782 (conficker) I'm able to verify with nmap that it has the conficker infection. So with the new netbios alert is there a possible infection. It lists no know false positives. So if both sources have the patch should I check the destination since this rule is flow to client? I read CVE-2011-1869 but I'm still not sure if this is an issue or not. I guess I should turn of pcap output along with unified2. I can do both simultaneously right? Thanks again Nick On Jan 29, 2013, at 7:50 AM, rmkml <rmkml () yahoo fr> wrote:Hi Nicholas, This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt" CVE: The Distributed File System (DFS) implementation in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields in DFS responses, which allows remote DFS servers to execute arbitrary code via a crafted response, aka "DFS Memory Corruption Vulnerability." Please post pcap if you have FP. Best Regards Rmkml On Tue, 29 Jan 2013, Nicholas Horton wrote:What is important to check with this alert? Does the vulnerability reside on the source or destination and what am I looking for? I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011. Thanksalert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 rmkml (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 rmkml (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 Nicholas Horton (Jan 29)
- Re: Explanation of Rule 1:19189:4 Joel Esler (Jan 29)
- Re: Explanation of Rule 1:19189:4 rmkml (Jan 29)