[Snort-users] New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service

Willst Mail willstmail at ...11827...
Thu Feb 18 16:57:43 EST 2010


The latest VRT signatures included rule 16433 "EXPLOIT Microsoft Active
Directory LDAP query handling denial of service."  It looks to be examining
traffic bound for ports 389 or 3268 containing a particular string in the
content.  I don't recognize the string except that it looks like it might be
part of an LDAP OID.  It is generating hundreds of alerts per hour destined
for LDAP servers (AD and otherwise) from client machines.  I have not yet
looked at packet captures but my first thought is that these are false
positives.  Any idea what this rule is really meant to detect and what this
string is meant to be?  I have not posted the string because I am not sure
if the VRT subscription license considers it proprietary until the signature
is released into the community release.

Latest signatures:
http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2010-02-17.html
MS bulletin re: LDAP vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0088


Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100218/3cb32d01/attachment.html>


More information about the Snort-users mailing list