[Snort-sigs] sid 580 and sid 1267 = cve-1999-0008 ? (snort233b14)

Matthew Watchinski mwatchinski at ...435...
Fri Jun 24 12:25:11 EDT 2005


1. [Snort-sigs] sid 580 and sid 1267 = cve-1999-0008 ? (snort233b14) - 
Invalid
2. [Snort-sigs] sid 661 != cve-1999-0208 ? (snort233b14) - Will be fixed 
in next rule release
3. [Snort-sigs] add ref BUGTRAQ19970523 on sid 322 ? (snort233b14) - Got 
a real bugtraq number for this?  Currently the bugtraq reference type 
supports bugtraq_id and not the old message archive format.
4. [Snort-sigs] add ref MS-99-003 on sid 2338 ? (snort233b14) - Will be 
fixed in next rule release
5. [Snort-sigs] add ref MS-99-010 on sid 951 ? (snort233b14) - Since 
this signature doesn't detect the vulnerability outlined in this MS 
advisory this reference won't be added.  I'm also going to remove the 
other references as the vulnerability is in malformed URLS not the files 
that can be accessed with frontpage.  IE the vulnerability is an 
attacker can send /..../ and backup directories until they can get files 
like authors.pwd.
6. [Snort-sigs] sid 1847 != cve-1999-0643 ? (snort233b14) - Will be 
fixed in next rule release
7. [Snort-sigs] add ref MS99013 on sid 1037 ? (snort233b14) - Will be 
fixed in next rule release
8. [Snort-sigs] add ref BID 770 on sid 1507 ? (snort233b14) - Will be 
fixed in next rule release
9. [Snort-sigs] add ref bid 19980908 on sid 1604 (snort233b14) - got a 
real bugtraq number for this? or an osvdb url for this?
10. [Snort-sigs] add ref MS99038 on sid 500/501 ? (snort233b14) - Will 
be fixed in next rule release
11. [Snort-sigs] add ref MS99034 on sid 272 ? (snort233b14) - Will be 
fixed in next rule release
12. [Snort-sigs] remove bid 0564 on sid 1219 ? (snort233b14) - Will be 
fixed in next rule release
13. [Snort-sigs] add ref BID 830 on sid 1936 ? (snort233b14) - Will be 
fixed in next rule release
14. [Snort-sigs] sid 272 == sid 273 ? (snort233b14) - Will be fixed in 
next rule release

Did I miss any? other than the consolidated one "[Snort-sigs] multiple 
change on sid (snort233b14)" (working on this right now)

Thanks for the reports.

Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

rmkml wrote:

> sid 580 is :
> rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC 
> portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; 
> offset:12; content:"|00 00 00 03|"; within:4; distance:4; 
> byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; 
> content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; 
> offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; 
> sid:580; rev:9;)
>
> sid 1267 is :
> rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC 
> portmap nisd request TCP"; flow:to_server,established; content:"|00 01 
> 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; 
> distance:4; byte_jump:4,4,relative,align; 
> byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; 
> content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; 
> classtype:rpc-portmap-decode; sid:1267; rev:11;)
>
> cve-1999-0008 is :
> Name: CVE-1999-0008
> Reference: CERT:CA-98.06.nisd
> Reference: SUN:00170
> Reference: ISS:June10,1998
> Reference: XF:nisd-bo-check
> Buffer overflow in NIS+, in Sun's rpc.nisd program
>
> Regards
> Rmkml
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you 
> shotput
> a projector? How fast can you ride your desk chair down the office 
> luge track?
> If you want to score the big prize, get to know the little guy.  Play 
> to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list