[Snort-users] Explanation of Rule 1:19189:4

Nicholas Horton fivetenets at ...14399...
Tue Jan 29 07:28:57 EST 2013

What is important to check with this alert?

Does the vulnerability reside on the source or destination and what am I looking for?

I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.

> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral; metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)

More information about the Snort-users mailing list