Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Explanation of Rule 1:19189:4

From: Nicholas Horton <fivetenets () me com>
Date: Tue, 29 Jan 2013 07:28:57 -0500
What is important to check with this alert?

Does the vulnerability reside on the source or destination and what am I looking for?

I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.

Thanks


alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response 
PathConsumed integer overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; 
content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; 
byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral; metadata:policy security-ips 
drop, service netbios-ssn; reference:cve,2011-1868; 
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: