[Snort-users] Explanation of Rule 1:19189:4

Nicholas Horton fivetenets at ...14399...
Tue Jan 29 08:28:15 EST 2013

Thanks Rmkml. 

I don't have a pcap at this time but can record one.  What I do have is 2 alerts from 2 different sources going to the same destination ip generating this alert.

Sources are windows 2003 server titanium and the destination is a xp pro box.

Both sources seem to already have patch KB2535512 installed. I'm not sure about the destination ip box.

I would like to see who has the vulnerability or where the issues is. For example when I get another netbios alert such as 1:14782 (conficker) I'm able to verify with nmap that it has the conficker infection.

So with the new netbios alert is there a possible infection. It lists no know false positives. So if both sources have the patch should I check the destination since this rule is flow to client?

I read CVE-2011-1869 but I'm still not sure if this is an issue or not.

I guess I should turn of pcap output along with unified2. I can do both simultaneously right?

Thanks again

On Jan 29, 2013, at 7:50 AM, rmkml <rmkml at ...1855...> wrote:

> Hi Nicholas,
> This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"
> CVE:
> The Distributed File System (DFS) implementation in Microsoft Windows
> XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
> in DFS responses, which allows remote DFS servers to execute arbitrary
> code via a crafted response, aka "DFS Memory Corruption
> Vulnerability."
> Please post pcap if you have FP.
> Best Regards
> Rmkml
> On Tue, 29 Jan 2013, Nicholas Horton wrote:
>> What is important to check with this alert?
>> Does the vulnerability reside on the source or destination and what am I looking for?
>> I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.
>> Thanks
>>> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
> flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4;
> content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral;
> metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)

More information about the Snort-users mailing list