[Snort-sigs] Correction sid 100000172

Blake Hartstein bhartstein at ...274...
Tue Feb 14 15:39:02 EST 2006


This rule is wrong, the author must have mistaken who is the malicious 
party and made the rule backwards.
This is an attack AGAINST Lynx. The NNTP Server is the malicious party.

Original Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"COMMUNITY NNTP Lynx 
overflow attempt"; flow:to_server,established; content:"Subject"; 
nocase; pcre:"/^Subject\x3a[^\r\n]{100,}/smi"; reference:cve,2005-3120; 
reference:bugtraq,15117; 
reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20019; 
reference:nessus,20035; classtype:attempted-admin; sid:100000172; rev:1;)

Correct Rule:
alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"COMMUNITY NNTP Lynx 
overflow attempt"; flow:from_server,established; content:"Subject"; 
nocase; pcre:"/^Subject\x3a[^\r\n]{100,}/smi"; reference:cve,2005-3120; 
reference:bugtraq,15117; 
reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20019; 
reference:nessus,20035; classtype:attempted-admin; sid:100000172; rev:2;)

I have a pcap if you would like to see it.
Thanks,
Blake Hartstein

-- 
This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged.  If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately.  Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.





More information about the Snort-sigs mailing list