Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2016-3237 Rule

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 21 Dec 2016 19:45:47 +0000
This vulnerability doesn’t look like something we’d be able to detect.  This is essentially trying to detect a MITM 
(Man in the middle) on a password change.


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Dec 21, 2016, at 6:50 AM, GPN SACC <gpnsacc () gmail com<mailto:gpnsacc () gmail com>> wrote:

Is there a rule to alert for MS16-101?

From the blog entry (http://blog.talosintel.com/2016/08/ms-tuesday.html)

MS16-101 addresses two elevation of privilege vulnerabilities. CVE-2016-3300 relates to how Windows Netlogon 
establishes a secure connection to systems whose domain controller is running either Windows Server 2012 or Windows 
Server 2012 R2. An attacker would require access to a domain-joined machine that points to one of these systems in 
order to leverage the vulnerability and elevate privileges on the domain-joined machine. CVE-2016-3237 is related to 
Kerberos reverting to NTLM as the default authentication protocol after improperly handling a password change request. 
In order to exploit this and bypass the Kerberos authentication mechanism, an attacker would need to launch a 
man-in-the-middle attack against the traffic between a target machine and its domain controller.  All supported 
versions of Windows are affected for the Kerberos elevation of privilege, while the netlogon vulnerability only affects 
all versions of Windows 8.1 and Server 2012.

I searched through the snort rules 39808-39829, 39831-39844 and did not find a rule for CVE,2016-3237.


Thanks
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: