[Snort-sigs] Fwd: cve-2010-1635 detection

Balasubramaniam Natarajan bala150985 at ...2420...
Fri Aug 17 04:25:38 EDT 2012


On Fri, Aug 17, 2012 at 4:17 AM, THG <thehulkguy at ...2420...> wrote:

> Hi Guys,
>
> I was looking for Signature for CVE-2010-1635 "Samba Flags2 header parsing
> vulnerability". I didn't find signature for it in snort ruleset.
> After reading CVE and stratsec.net advisories on
> Samba-Multiple-DoS-Vulnerabilities "SS-2010-005", I have attempted to write
> signature for it.
>
> Could some one please validate the logic.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2
> header parsing - flowbit: set"; flow: to_server,established;
> content:"|FF|SMB|72|"; byte_test:1,<,128,6,relative;
> flowbits:set,rn.smbd.flags2; flowbits:noalert; reference:bugtraq,40097;
> reference:cve,2010-1635; sid:7538001;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2
> header parsing denial of service attempt 1"; flow: to_server,established;
> content:"|FF|SMB|73|"; byte_test:1,>,127,6,relative;
> flowbits:isset,rn.smbd.flags2;reference:bugtraq,40097,;
> reference:cve,2010-1635; sid:7538002;)
>
>

Why do you have a comma in the references like "cve,2010-1635"  Should it
not be like "CVE-2010-1653" ?

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120817/9aae588e/attachment.html>


More information about the Snort-sigs mailing list