[Snort-sigs] FP on sig 17567

Alex Kirk akirk at ...435...
Wed Nov 17 12:05:04 EST 2010


First off, this is a classic case of "if you're not running the software in
question, you shouldn't be running the rule." Chances are high that not only
do you not have LANDesk in your environment, if you did, it'd be patched by
now against a 3-year-old vulnerability anyway.

That said, as for the rule itself - unfortunately, there's no "fixing" it.
Any large packet sent to that service (which listens on that specific port)
will cause a crash; no setup, headers, etc. are necessary. Generally, we're
not fans of covering vulnerabilities like that. However, in this case we had
a specific request for it, and since it's on a unique UDP port (that, in
most environments, doesn't get a lot of traffic - most clients stick to
lower ports than that), we figured that the false positive rate would be low
enough to stick it out there, and have anyone with issues simply disable it
when it came out. You'll note that it's in no policies by default; I'll make
a point to comment it out as well for those who don't use policies in
open-source land.

On Wed, Nov 17, 2010 at 11:36 AM, Andy Berryman <aberryman at ...3535...>wrote:

> SPECIFIC-THREATS LANDesk Management Suite Alerting Service buffer overflow
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 65535
>
> sid:17567; rev:1;
>
>
>
>
>
> I’m seeing this as a false positive for a couple of our customers. Most
> seem to be DNS requests. Source port is 53 on most of them and a couple of
> them that I’ve talked to have confirmed they don’t have the software on the
> machines.
>
>
>
>
>
> One is source port 161 dest port 65535 and here’s the packet payload
>
>
>
> 0        OMFGPonies        (       0  0    +          Cisco IOS Software,
> 3600 Software (C3640-I-M), Version 12.4(23), RELEASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport  Copyright (c)
> 1986-2008 by Cisco Systems, Inc.  Compiled Sat 08-Nov-08 23:43 by
> prod_rel_team
>
>
>
> IN HEX:
>
>
>
> 3082 011d 0201 0004 0a4f 4d46 4750 6f6e 6965 73a2 8201 0a02 0411 ce28 8102
> 0100 0201 0030 81fb 3081 f806 082b 0601 0201 0101 0004 81eb 4369 7363 6f20
> 494f 5320 536f 6674 7761 7265 2c20 3336 3030 2053 6f66 7477 6172 6520 2843
> 3336 3430 2d49 2d4d 292c 2056 6572 7369 6f6e 2031 322e 3428 3233 292c 2052
> 454c 4541 5345 2053 4f46 5457 4152 4520 2866 6331 290d 0a54 6563 686e 6963
> 616c 2053 7570 706f 7274 3a20 6874 7470 3a2f 2f77 7777 2e63 6973 636f 2e63
> 6f6d 2f74 6563 6873 7570 706f 7274 0d0a 436f 7079 7269 6768 7420 2863 2920
> 3139 3836 2d32 3030 3820 6279 2043 6973 636f 2053 7973 7465 6d73 2c20 496e
> 632e 0d0a 436f 6d70 696c 6564 2053 6174 2030 382d 4e6f 762d 3038 2032 333a
> 3433 2062 7920 7072 6f64 5f72 656c 5f74 6561 6d
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Andy Berryman
>  ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>


-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101117/3a7b715a/attachment.html>


More information about the Snort-sigs mailing list