[Snort-sigs] sid 580 and sid 1267 = cve-1999-0008 ? (snort233b14)

Matthew Watchinski mwatchinski at ...435...
Fri Jun 24 08:09:44 EDT 2005


These rules just detect attempts to query portmap for the nisd service.  
Since this isn't a vulnerability in an of its self this CVE reference 
doesn't seem valid for these rules.

Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

rmkml wrote:

> sid 580 is :
> rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC 
> portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; 
> offset:12; content:"|00 00 00 03|"; within:4; distance:4; 
> byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; 
> content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; 
> offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; 
> sid:580; rev:9;)
>
> sid 1267 is :
> rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC 
> portmap nisd request TCP"; flow:to_server,established; content:"|00 01 
> 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; 
> distance:4; byte_jump:4,4,relative,align; 
> byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; 
> content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; 
> classtype:rpc-portmap-decode; sid:1267; rev:11;)
>
> cve-1999-0008 is :
> Name: CVE-1999-0008
> Reference: CERT:CA-98.06.nisd
> Reference: SUN:00170
> Reference: ISS:June10,1998
> Reference: XF:nisd-bo-check
> Buffer overflow in NIS+, in Sun's rpc.nisd program
>
> Regards
> Rmkml
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you 
> shotput
> a projector? How fast can you ride your desk chair down the office 
> luge track?
> If you want to score the big prize, get to know the little guy.  Play 
> to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list