[Snort-sigs] Fwd: cve-2010-1635 detection

THG thehulkguy at ...2420...
Thu Aug 16 18:47:11 EDT 2012

Hi Guys,

I was looking for Signature for CVE-2010-1635 "Samba Flags2 header parsing vulnerability". I didn't find signature for it in snort ruleset. 
After reading CVE and stratsec.net advisories on Samba-Multiple-DoS-Vulnerabilities "SS-2010-005", I have attempted to write signature for it. 

Could some one please validate the logic. 

alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing - flowbit: set"; flow: to_server,established; content:"|FF|SMB|72|"; byte_test:1,<,128,6,relative; flowbits:set,rn.smbd.flags2; flowbits:noalert; reference:bugtraq,40097; reference:cve,2010-1635; sid:7538001;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing denial of service attempt 1"; flow: to_server,established; content:"|FF|SMB|73|"; byte_test:1,>,127,6,relative; flowbits:isset,rn.smbd.flags2;reference:bugtraq,40097,; reference:cve,2010-1635; sid:7538002;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120817/33d0e3ce/attachment.html>

More information about the Snort-sigs mailing list