[Snort-sigs] VRT Certified Rules Update

Matthew Watchinski mwatchinski at ...435...
Mon Apr 18 16:07:18 EDT 2005


Sourcefire VRT Certified Rules Update

Date: 2005-04-18

Synopsis:
After continuing research into to the Microsoft Security Bulletin
(MS05-017) released on Tuesday April 12 2005, the Sourcefire
Vulnerability Research Team (VRT) has released a number of new rules to
detect possible attempts to exploit the Microsoft Message Queuing vulnerability.
Additionally a rule to detect attempts to cause a Denial of Service
using spoofed ICMP messages is also included in this rule pack.

Details:
Microsoft Message Queuing (MSMQ) enables messages to be queued for
delivery at opportune times. Applications can query the message queue as
they come online or at scheduled times.

A programming error in the MSMQ subsystem may present an attacker with
the opportunity to overflow a fixed length buffer and execute code of
their choosing on an affected host.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3554 through 3625.

The ICMP path MTU message informs a host that the packet size it has
sent must be fragmented and will be dropped unless it is reduced to the
designated MTU. It may be possible for an attacker to send a spoofed
ICMP path MTU message to a host causing it to send very small packets.
This may then result in the host experiencing a Denial of Service (DoS).

A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3626.

Below is the complete list of rules modified and added in the Sourcefire
VRT Certified Rule Pack.

New rules:
3554 - NETBIOS DCERPC-DIRECT mqqm bind attempt (netbios.rules)
3555 - NETBIOS DCERPC-DIRECT mqqm little endian bind attempt (netbios.rules)
3556 - NETBIOS DCERPC mqqm bind attempt (netbios.rules)
3557 - NETBIOS DCERPC mqqm little endian bind attempt (netbios.rules)
3558 - NETBIOS SMB mqqm WriteAndX andx bind attempt (netbios.rules)
3559 - NETBIOS SMB mqqm WriteAndX bind attempt (netbios.rules)
3560 - NETBIOS SMB mqqm WriteAndX little endian andx bind attempt (netbios.rules)
3561 - NETBIOS SMB mqqm WriteAndX little endian bind attempt (netbios.rules)
3562 - NETBIOS SMB mqqm WriteAndX unicode andx bind attempt (netbios.rules)
3563 - NETBIOS SMB mqqm WriteAndX unicode bind attempt (netbios.rules)
3564 - NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt (netbios.rules)
3565 - NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt (netbios.rules)
3566 - NETBIOS SMB mqqm andx bind attempt (netbios.rules)
3567 - NETBIOS SMB mqqm bind attempt (netbios.rules)
3568 - NETBIOS SMB mqqm little endian andx bind attempt (netbios.rules)
3569 - NETBIOS SMB mqqm little endian bind attempt (netbios.rules)
3570 - NETBIOS SMB mqqm unicode andx bind attempt (netbios.rules)
3571 - NETBIOS SMB mqqm unicode bind attempt (netbios.rules)
3572 - NETBIOS SMB mqqm unicode little endian andx bind attempt (netbios.rules)
3573 - NETBIOS SMB mqqm unicode little endian bind attempt (netbios.rules)
3574 - NETBIOS SMB-DS mqqm WriteAndX andx bind attempt (netbios.rules)
3575 - NETBIOS SMB-DS mqqm WriteAndX bind attempt (netbios.rules)
3576 - NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt (netbios.rules)
3577 - NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt (netbios.rules)
3578 - NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt (netbios.rules)
3579 - NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt (netbios.rules)
3580 - NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt (netbios.rules)
3581 - NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt (netbios.rules)
3582 - NETBIOS SMB-DS mqqm andx bind attempt (netbios.rules)
3583 - NETBIOS SMB-DS mqqm bind attempt (netbios.rules)
3584 - NETBIOS SMB-DS mqqm little endian andx bind attempt (netbios.rules)
3585 - NETBIOS SMB-DS mqqm little endian bind attempt (netbios.rules)
3586 - NETBIOS SMB-DS mqqm unicode andx bind attempt (netbios.rules)
3587 - NETBIOS SMB-DS mqqm unicode bind attempt (netbios.rules)
3588 - NETBIOS SMB-DS mqqm unicode little endian andx bind attempt (netbios.rules)
3589 - NETBIOS SMB-DS mqqm unicode little endian bind attempt (netbios.rules)
3590 - NETBIOS DCERPC-DIRECT mqqm QMDeleteObject little endian overflow attempt (netbios.rules)
3591 - NETBIOS DCERPC-DIRECT mqqm QMDeleteObject overflow attempt (netbios.rules)
3592 - NETBIOS DCERPC mqqm QMDeleteObject little endian overflow attempt (netbios.rules)
3593 - NETBIOS DCERPC mqqm QMDeleteObject overflow attempt (netbios.rules)
3594 - NETBIOS SMB mqqm QMDeleteObject WriteAndX andx overflow attempt (netbios.rules)
3595 - NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian andx overflow attempt (netbios.rules)
3596 - NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian overflow attempt (netbios.rules)
3597 - NETBIOS SMB mqqm QMDeleteObject WriteAndX overflow attempt (netbios.rules)
3598 - NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode andx overflow attempt (netbios.rules)
3599 - NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt (netbios.rules)
3600 - NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt (netbios.rules)
3601 - NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode overflow attempt (netbios.rules)
3602 - NETBIOS SMB mqqm QMDeleteObject andx overflow attempt (netbios.rules)
3603 - NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt (netbios.rules)
3604 - NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt (netbios.rules)
3605 - NETBIOS SMB mqqm QMDeleteObject overflow attempt (netbios.rules)
3606 - NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt (netbios.rules)
3607 - NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt (netbios.rules)
3608 - NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt (netbios.rules)
3609 - NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt (netbios.rules)
3610 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt (netbios.rules)
3611 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt (netbios.rules)
3612 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt (netbios.rules)
3613 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt (netbios.rules)
3614 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt (netbios.rules)
3615 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt (netbios.rules)
3616 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt (netbios.rules)
3617 - NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt (netbios.rules)
3618 - NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt (netbios.rules)
3619 - NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt (netbios.rules)
3620 - NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt (netbios.rules)
3621 - NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt (netbios.rules)
3622 - NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt (netbios.rules)
3623 - NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt (netbios.rules)
3624 - NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt (netbios.rules)
3625 - NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt (netbios.rules)
3626 - ICMP PATH MTU denial of service (icmp.rules)





More information about the Snort-sigs mailing list