[Snort-users] New rule 16433 - EXPLOIT Microsoft Active Directory LDAP query handling denial of service

Alex Kirk akirk at ...1935...
Fri Feb 19 10:09:00 EST 2010


Thanks for the report. We're investigating a fix now, and will release one
as soon as feasible. We'll let you know once the fix has gone out.

On Thu, Feb 18, 2010 at 4:57 PM, Willst Mail <willstmail at ...11827...> wrote:

> The latest VRT signatures included rule 16433 "EXPLOIT Microsoft Active
> Directory LDAP query handling denial of service."  It looks to be examining
> traffic bound for ports 389 or 3268 containing a particular string in the
> content.  I don't recognize the string except that it looks like it might be
> part of an LDAP OID.  It is generating hundreds of alerts per hour destined
> for LDAP servers (AD and otherwise) from client machines.  I have not yet
> looked at packet captures but my first thought is that these are false
> positives.  Any idea what this rule is really meant to detect and what this
> string is meant to be?  I have not posted the string because I am not sure
> if the VRT subscription license considers it proprietary until the signature
> is released into the community release.
> Latest signatures:
> http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2010-02-17.html
> MS bulletin re: LDAP vulnerability:
> http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx
> CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0088
> Thanks
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100219/ccec09e0/attachment.html>

More information about the Snort-users mailing list