[Snort-users] Explanation of Rule 1:19189:4

rmkml rmkml at ...1855...
Tue Jan 29 07:50:12 EST 2013

Hi Nicholas,

This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"

  The Distributed File System (DFS) implementation in Microsoft Windows
  XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
  in DFS responses, which allows remote DFS servers to execute arbitrary
  code via a crafted response, aka "DFS Memory Corruption

Please post pcap if you have FP.

Best Regards

On Tue, 29 Jan 2013, Nicholas Horton wrote:

> What is important to check with this alert?
> Does the vulnerability reside on the source or destination and what am I looking for?
> I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.
> Thanks
>> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
  flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4;
  content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral;
  metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)

More information about the Snort-users mailing list