[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Tue Feb 20 15:24:55 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
A remotely exploitable vulnerability exists in the DCE/RPC dynamic
preprocessor included with Snort versions 2.6.1, 2.6.1.1, 2.6.1.2 and
2.7 Beta 1.

Details:
The DCE/RPC preprocessor is vulnerable to a stack-based buffer overflow
that could potentially allow a remote attacker to execute code in the
context of the user running Snort.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified as SIDs 10158 through 10160.

Additionally a shared object rule to detect attacks targeting this
vulnerability is included in this release and is identified as GID 3
SID 10161.

Note:
This rules update has been released to the VRT Subscribers and the Snort
Registered Users.

New rules:
10156 <-> WEB-CLIENT ActiveX Soft DVD Tools ActiveX clsid access
(web-client.rules)
10157 <-> WEB-CLIENT ActiveX Soft DVD Tools ActiveX clsid unicode access
(web-client.rules)
10158 <-> NETBIOS SMB writex possible Snort dcerpc preprocessor overflow
attempt (netbios.rules)
10159 <-> NETBIOS SMB-DS writex possible Snort dcerpc preprocessor
overflow attempt (netbios.rules)
10160 <-> NETBIOS-DG SMB writex possible Snort dcerpc preprocessor
overflow attempt (netbios.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF21kXMpm0ve0NhMcRAgcpAKCNwgFtcjJm5pmaNdzAbhhezCr4/ACgqlor
rh38s7RY2Inxz1AIlfVGTN4=
=W8Nk
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list