[Snort-sigs] WINS Rule Testing Requested
alex.kirk at ...435...
Tue Feb 8 10:17:36 EST 2005
Recently we here at the Sourcefire VRT have received some false positive
reports for SID 3017, which deals with a WINS replication attack. We've
done some research into the matter, and we have a possible new rule that
we think eliminates (or at least greatly reduces) those false positives.
Since we don't run a large WINS operation here, we're hoping we can get
some volunteers who do have such a setup to test this new rule for us.
We would request that anyone testing this that gets alerts send us the
Windows version and service pack level of the sender & recipient of the
packet, since that information is relevant for proving or disproving the
theory behind this rule.
The proposed rule is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow
attempt"; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6;
reference:cve,2004-1080; reference:bugtraq,11763; classtype:misc-attack;
Thank you in advance to any volunteers. Please contact me directly
off-list if you are interested.
More information about the Snort-sigs