[Snort-sigs] Sig for MS04-007 exploit?

Nilesh Burghate nileshb at ...2249...
Wed Feb 18 21:28:00 EST 2004


Hi,

We have written snort signature for detecting Microsoft ASN Vulnerability.

As rightly pointed, we have to check for following bits
\xA1\x05\x23\x03\x03\x01\x07
These flags are actully triggering the Heap overflow and are must for
exploiting the vulnerability.

The snort signature for this exploit is given below

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NetIntel Microsoft ASN.1
Library Buffer Overflow Exploit"; content:"|A1 05 23 03 03 01 07|";
flow:to_server,established; classtype:bad-unknown;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.asp;
sid:9999; rev:1;)

We have also written snort signatures for detecting SQL Injection and Cross
site scripting. These are available on our website
http://www.nii.co.in/research/snort.html

HTH,

Nilesh P. Burghate,
Senior Security Analyst,
Network Intelligence India Pvt. Ltd
web: www.nii.co.in
Mob: 91-9819350587
Tel: 91-22-22001530, 22006019








----- Original Message -----
From: "Compton, Rich" <RCompton at ...1352...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Thursday, February 19, 2004 4:12 AM
Subject: RE: [Snort-sigs] Sig for MS04-007 exploit?


> Good question,
> Does anybody have a reply to this?  What is the rule that will be created
to
> match traffic trying to exploit this vulnerability?
>
> -Rich Compton
>
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Christian
> Tramnitz
> Sent: Sunday, February 15, 2004 2:37 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Sig for MS04-007 exploit?
>
>
> Does anyone already have a signature for the MS04-007 exploit?
>
> The malicious code should be:
>
> /* reqFlags that should trigger the overflow */
> "\xA1\x05\x23\x03\x03\x01\x07"
>
>
> Best regards,
>    Christian
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list