<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Guys,<br><br>I was looking for Signature for CVE-2010-1635 "Samba Flags2 header parsing vulnerability". I didn't find signature for it in snort ruleset. <br>After reading CVE and <a href="http://stratsec.net/">stratsec.net</a> advisories on Samba-Multiple-DoS-Vulnerabilities "SS-2010-005", I have attempted to write signature for it. <br><br>Could some one please validate the logic. <br><br>alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing - flowbit: set"; flow: to_server,established; content:"|FF|SMB|72|"; byte_test:1,<,128,6,relative; flowbits:set,rn.smbd.flags2; flowbits:noalert; reference:bugtraq,40097; reference:cve,2010-1635; sid:7538001;)<br><br>alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"Samba smbd flags2 header parsing denial of service attempt 1"; flow: to_server,established; content:"|FF|SMB|73|"; byte_test:1,>,127,6,relative; flowbits:isset,rn.smbd.flags2;reference:bugtraq,40097,; reference:cve,2010-1635; sid:7538002;)<br><br><br>thanks,<br>rogue</body></html>