[Snort-sigs] WINS Rule Testing Requested

Alex Kirk alex.kirk at ...435...
Tue Feb 8 10:17:36 EST 2005


Hello All,

Recently we here at the Sourcefire VRT have received some false positive 
reports for SID 3017, which deals with a WINS replication attack. We've 
done some research into the matter, and we have a possible new rule that 
we think eliminates (or at least greatly reduces) those false positives. 
Since we don't run a large WINS operation here, we're hoping we can get 
some volunteers who do have such a setup to test this new rule for us.

We would request that anyone testing this that gets alerts send us the 
Windows version and service pack level of the sender & recipient of the 
packet, since that information is relevant for proving or disproving the 
theory behind this rule.

The proposed rule is:

alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow 
attempt"; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; 
byte_test:1,&,8,6; 
pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00\x63-\x65]|\x02\x68\x05\xC0)/s"; 
reference:url,www.immunitysec.com/downloads/instantanea.pdf; 
reference:cve,2004-1080; reference:bugtraq,11763; classtype:misc-attack; 
sid:3017; rev:3;)

Thank you in advance to any volunteers. Please contact me directly 
off-list if you are interested.

Alex Kirk
Research Analyst
Sourcefire, Inc.




More information about the Snort-sigs mailing list