[Snort-users] New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service

Willst Mail willstmail at ...11827...
Thu Feb 18 16:57:43 EST 2010

The latest VRT signatures included rule 16433 "EXPLOIT Microsoft Active
Directory LDAP query handling denial of service."  It looks to be examining
traffic bound for ports 389 or 3268 containing a particular string in the
content.  I don't recognize the string except that it looks like it might be
part of an LDAP OID.  It is generating hundreds of alerts per hour destined
for LDAP servers (AD and otherwise) from client machines.  I have not yet
looked at packet captures but my first thought is that these are false
positives.  Any idea what this rule is really meant to detect and what this
string is meant to be?  I have not posted the string because I am not sure
if the VRT subscription license considers it proprietary until the signature
is released into the community release.

Latest signatures:
MS bulletin re: LDAP vulnerability:
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0088

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100218/3cb32d01/attachment.html>

More information about the Snort-users mailing list