[Snort-sigs] WINS Rule Testing Requested

Alex Kirk alex.kirk at ...435...
Tue Feb 8 10:17:36 EST 2005

Hello All,

Recently we here at the Sourcefire VRT have received some false positive 
reports for SID 3017, which deals with a WINS replication attack. We've 
done some research into the matter, and we have a possible new rule that 
we think eliminates (or at least greatly reduces) those false positives. 
Since we don't run a large WINS operation here, we're hoping we can get 
some volunteers who do have such a setup to test this new rule for us.

We would request that anyone testing this that gets alerts send us the 
Windows version and service pack level of the sender & recipient of the 
packet, since that information is relevant for proving or disproving the 
theory behind this rule.

The proposed rule is:

alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow 
attempt"; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; 
reference:cve,2004-1080; reference:bugtraq,11763; classtype:misc-attack; 
sid:3017; rev:3;)

Thank you in advance to any volunteers. Please contact me directly 
off-list if you are interested.

Alex Kirk
Research Analyst
Sourcefire, Inc.

More information about the Snort-sigs mailing list