Sourcefire Rules Update for Sourcefire Intelligent Security Monitoring System

Date: 2004-04-15

This rules update applies to all models of the 2.7.x and 3.x Network Sensor and Management Console.

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities in Microsoft operating systems.

Successful exploitation of these vulnerabilities could present an attacker with the opportunity to execute code of their choosing on the target host with system privileges. This can lead to unauthorized administrative access to the host system. It is also possible for an attacker to cause a Denial of Service (DoS) condition.

Rules to detect exploitation of this issue are included in the rulepack. These are referenced as SIDs 2494, 2495, 2496 and will alert on attempts to exploit CVE ID - CAN-2003-0813.

In addition, the VRT has done significant work to enhance the accuracy and efficiency of the Sourcefire ISM detection capabilities. Multiple rules were added or modified to reduce the possibility of false positives and to utilize recent enhancements in the detection engine.

WARNING:

If you are running a Sourcefire Network Sensor or Management Console v2.7, you must be running patch 3 or higher to install this update. The latest patch information can be found here.

https://support.sourcefire.com/cgi-bin/Main.pl/downloads

If you are running a Sourcefire Network Sensor or Management Console v3.0, you must install Sourcefire_IMS_Upgrade-3.0.1-19.sh before installing this rule pack. This patch can be found here.

https://support.sourcefire.com/cgi-bin/Main.pl/downloads

Rule Pack Summary:

SIDs:

• New rules 3.x only.
  • 2409 - POP3 APOP USER overflow attempt (pop3.rules)
  • 2411 - WEB-MISC Real Server DESCRIBE buffer overflow attempt (web-misc.rules)
  • 2416 - FTP invalid MDTM command attempt (ftp.rules)
  • 2417 - FTP format string attempt (ftp.rules)
  • 2419 - MULTIMEDIA realplayer .ram playlist download attempt (multimedia.rules)
  • 2420 - MULTIMEDIA realplayer .rmp playlist download attempt (multimedia.rules)
  • 2421 - MULTIMEDIA realplayer .smi playlist download attempt (multimedia.rules)
  • 2422 - MULTIMEDIA realplayer .rt playlist download attempt (multimedia.rules)
  • 2423 - MULTIMEDIA realplayer .rp playlist download attempt (multimedia.rules)
  • 2424 - NNTP sendsys overflow attempt (nntp.rules)
  • 2425 - NNTP senduuname overflow attempt (nntp.rules)
  • 2426 - NNTP version overflow attempt (nntp.rules)
  • 2427 - NNTP checkgroups overflow attempt (nntp.rules)
  • 2428 - NNTP ihave overflow attempt (nntp.rules)
  • 2429 - NNTP sendme overflow attempt (nntp.rules)
  • 2430 - NNTP newgroup overflow attempt (nntp.rules)
  • 2431 - NNTP rmgroup overflow attempt (nntp.rules)
  • 2432 - NNTP article post without path attempt (nntp.rules)
  • 2433 - WEB-CGI MDaemon form2raw.cgi overflow attempt (web-cgi.rules)
  • 2437 - WEB-CLIENT RealPlayer arbitrary javascript command attempt (web-client.rules)
  • 2438 - WEB-CLIENT RealPlayer playlist file URL overflow attempt (web-client.rules)
  • 2439 - WEB-CLIENT RealPlayer playlist http URL overflow attempt (web-client.rules)
  • 2440 - WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt (web-client.rules)
  • 2441 - WEB-MISC NetObserve authentication bypass attempt (web-misc.rules)
  • 2442 - WEB-MISC Quicktime User-Agent buffer overflow attempt (web-misc.rules)
  • 2449 - FTP ALLO overflow attempt (ftp.rules)
  • 2460 - CHAT Yahoo IM webcam request (chat.rules)
  • 2476 - NETBIOS SMB-DS Create AndX Request winreg attempt (netbios.rules)
  • 2477 - NETBIOS SMB-DS Create AndX Request winreg unicode attempt (netbios.rules)
  • 2478 - NETBIOS SMB-DS DCERPC bind winreg attempt (netbios.rules)
  • 2479 - NETBIOS SMB-DS DCERPC bind winreg unicode attempt (netbios.rules)
  • 2480 - NETBIOS SMB-DS DCERPC shutdown unicode attempt (netbios.rules)
  • 2481 - NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt (netbios.rules)
  • 2482 - NETBIOS SMB-DS DCERPC shutdown attempt (netbios.rules)
  • 2483 - NETBIOS SMB-DS DCERPC shutdown little endian attempt (netbios.rules)
  • 2487 - SMTP WinZip MIME content-type buffer overflow (smtp.rules)
  • 2488 - SMTP WinZip MIME content-disposition buffer overflow (smtp.rules)
  • 2489 - EXPLOIT esignal STREAMQUOTE buffer overflow attempt (exploit.rules)
  • 2490 - EXPLOIT esignal SNAPQUOTE buffer overflow attempt (exploit.rules)
  • 2491 - NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt (netbios.rules)
  • 2492 - NETBIOS SMB DCERPC ISystemActivator bind attempt (netbios.rules)
  • 2493 - NETBIOS SMB DCERPC ISystemActivator unicode bind attempt (netbios.rules)
  • 2494 - NETBIOS DCEPRC ORPCThis request flood attempt (netbios.rules)
  • 2495 - NETBIOS SMB DCEPRC ORPCThis request flood attempt (netbios.rules)
  • 2496 - NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt (netbios.rules)
• New rules 2.7 and 3.x
  • 2376 - EXPLOIT ISAKMP first payload certificate request length overflow attempt (exploit.rules)
  • 2377 - EXPLOIT ISAKMP second payload certificate request length overflow attempt (exploit.rules)
  • 2378 - EXPLOIT ISAKMP third payload certificate request length overflow attempt (exploit.rules)
  • 2379 - EXPLOIT ISAKMP forth payload certificate request length overflow attempt (exploit.rules)
  • 2380 - EXPLOIT ISAKMP fifth payload certificate request length overflow attempt (exploit.rules)
  • 2405 - WEB-PHP phptest.php access (web-php.rules)
  • 2406 - TELNET APC SmartSlot default admin account attempt (telnet.rules)
  • 2407 - WEB-MISC util.pl access (web-misc.rules)
  • 2408 - WEB-MISC Invision Power Board search.pl access (web-misc.rules)
  • 2410 - WEB-PHP IGeneric Free Shopping Cart page.php access (web-php.rules)
  • 2412 - ATTACK-RESPONSES successful cross site scripting forced download attempt (attack-responses.rules)
  • 2413 - EXPLOIT ISAKMP delete hash with empty hash attempt (exploit.rules)
  • 2414 - EXPLOIT ISAKMP initial contact notification without SPI attempt (exploit.rules)
  • 2415 - EXPLOIT ISAKMP second payload initial contact notification without SPI attempt (exploit.rules)
  • 2418 - MISC MS Terminal Server no encryption session initiation attmept (misc.rules)
  • 2434 - WEB-CGI MDaemon form2raw.cgi access (web-cgi.rules)
  • 2435 - WEB-CLIENT Microsoft emf metafile access (web-client.rules)
  • 2436 - WEB-CLIENT Microsoft wmf metafile access (web-client.rules)
  • 2443 - EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt (exploit.rules)
  • 2444 - EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt (exploit.rules)
  • 2445 - EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt (exploit.rules)
  • 2446 - EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt (exploit.rules)
  • 2447 - WEB-MISC ServletManager access (web-misc.rules)
  • 2448 - WEB-MISC setinfo.hts access (web-misc.rules)
  • 2450 - CHAT Yahoo IM successful logon (chat.rules)
  • 2451 - CHAT Yahoo IM voicechat (chat.rules)
  • 2452 - CHAT Yahoo IM ping (chat.rules)
  • 2453 - CHAT Yahoo IM conference invitation (chat.rules)
  • 2454 - CHAT Yahoo IM conference logon success (chat.rules)
  • 2455 - CHAT Yahoo IM conference message (chat.rules)
  • 2456 - CHAT Yahoo IM file transfer request (chat.rules)
  • 2457 - CHAT Yahoo IM message (chat.rules)
  • 2458 - CHAT Yahoo IM successful chat join (chat.rules)
  • 2459 - CHAT Yahoo IM webcam offer invitation (chat.rules)
  • 2461 - CHAT Yahoo IM webcam watch (chat.rules)
  • 2462 - EXPLOIT IGMP IGAP account overflow attempt (exploit.rules)
  • 2463 - EXPLOIT IGMP IGAP message overflow attempt (exploit.rules)
  • 2464 - EXPLOIT EIGRP prefix length overflow attempt (exploit.rules)
  • 2465 - NETBIOS SMB-DS IPC$ share access (netbios.rules)
  • 2466 - NETBIOS SMB-DS IPC$ share unicode access (netbios.rules)
  • 2467 - NETBIOS SMB D$ share unicode access (netbios.rules)
  • 2468 - NETBIOS SMB-DS D$ share access (netbios.rules)
  • 2469 - NETBIOS SMB-DS D$ share unicode access (netbios.rules)
  • 2470 - NETBIOS SMB C$ share unicode access (netbios.rules)
  • 2471 - NETBIOS SMB-DS C$ share access (netbios.rules)
  • 2472 - NETBIOS SMB-DS C$ share unicode access (netbios.rules)
  • 2473 - NETBIOS SMB ADMIN$ share unicode access (netbios.rules)
  • 2474 - NETBIOS SMB-DS ADMIN$ share access (netbios.rules)
  • 2475 - NETBIOS SMB-DS ADMIN$ share unicode access (netbios.rules)
  • 2484 - WEB-MISC source.jsp access (web-misc.rules)
  • 2485 - WEB-CLIENT Nortan antivirus sysmspam.dll load attempt (web-client.rules)
  • 2486 - DOS ISAKMP invalid identification payload attempt (dos.rules)
• Modified rules 3.x only.
  • 654 - SMTP RCPT TO overflow (smtp.rules)
  • 721 - VIRUS OUTBOUND bad file attachment (virus.rules)
  • 2178 - FTP USER format string attempt (ftp.rules)
  • 2278 - WEB-MISC negative Content-Length attempt (web-misc.rules)
  • 2193 - NETBIOS SMB-DS DCERPC ISystemActivator bind attempt (netbios.rules)
  • 2253 - SMTP XEXCH50 overflow attempt (smtp.rules)
  • 2259 - SMTP EXPN overflow attempt (smtp.rules)
  • 2260 - SMTP VRFY overflow attempt (smtp.rules)
  • 2278 - WEB-MISC negative Content-Length attempt (web-misc.rules)
  • 2329 - MS-SQL probe response overflow attempt (sql.rules)
  • 2348 - NETBIOS SMB-DS DCERPC print spool bind attempt (netbios.rules)
  • 2349 - NETBIOS SMB-DS DCERPC enumerate printers request attempt (netbios.rules)
  • 2350 - NETBIOS DCERPC ISystemActivator bind accept (netbios.rules)
  • 2351 - NETBIOS DCERPC ISystemActivator path overflow attempt little endian (netbios.rules)
  • 2352 - NETBIOS DCERPC ISystemActivator path overflow attempt big endian (netbios.rules)
• Modified rules 2.7 and 3.x
  • 540 - CHAT MSN message (chat.rules)
  • 541 - CHAT ICQ access (chat.rules)
  • 542 - CHAT IRC nick change (chat.rules)
  • 729 - VIRUS OUTBOUND .scr file attachment (deleted.rules)
  • 730 - VIRUS OUTBOUND .shs file attachment (deleted.rules)
  • 732 - Virus - Possible QAZ Worm Infection (deleted.rules)
  • 793 - VIRUS OUTBOUND .vbs file attachment (deleted.rules)
  • 1233 - WEB-CLIENT Outlook EML access (web-client.rules)
  • 1329 - WEB-ATTACKS /bin/ps command attempt (web-attacks.rules)
  • 1463 - CHAT IRC message (chat.rules)
  • 1639 - CHAT IRC DCC file transfer request (chat.rules)
  • 1640 - CHAT IRC DCC chat request (chat.rules)
  • 1685 - ORACLE all_tab_privs access (oracle.rules)
  • 1729 - CHAT IRC channel join (chat.rules)
  • 1789 - CHAT IRC dns request (chat.rules)
  • 1790 - CHAT IRC dns response (chat.rules)
  • 1832 - CHAT ICQ forced user addition (chat.rules)
  • 2160 - VIRUS OUTBOUND .exe file attachment (deleted.rules)
  • 2161 - VIRUS OUTBOUND .doc file attachment (deleted.rules)
  • 2162 - VIRUS OUTBOUND .hta file attachment (deleted.rules)
  • 2163 - VIRUS OUTBOUND .chm file attachment (deleted.rules)
  • 2164 - VIRUS OUTBOUND .reg file attachment (deleted.rules)
  • 2165 - VIRUS OUTBOUND .ini file attachment (deleted.rules)
  • 2166 - VIRUS OUTBOUND .bat file attachment (deleted.rules)
  • 2167 - VIRUS OUTBOUND .diz file attachment (deleted.rules)
  • 2168 - VIRUS OUTBOUND .cpp file attachment (deleted.rules)
  • 2169 - VIRUS OUTBOUND .dll file attachment (deleted.rules)
  • 2170 - VIRUS OUTBOUND .vxd file attachment (deleted.rules)
  • 2171 - VIRUS OUTBOUND .sys file attachment (deleted.rules)
  • 2172 - VIRUS OUTBOUND .com file attachment (deleted.rules)
  • 2173 - VIRUS OUTBOUND .hsq file attachment (deleted.rules)
  • 2174 - NETBIOS SMB winreg access (netbios.rules)
  • 2175 - NETBIOS SMB winreg unicode access (netbios.rules)
  • 2176 - NETBIOS SMB startup folder access (netbios.rules)
  • 2177 - NETBIOS SMB startup folder unicode access (netbios.rules)
  • 2197 - WEB-CGI cvsview2.cgi access (web-cgi.rules)
  • 2251 - NETBIOS DCERPC Remote Activation bind attempt (netbios.rules)
  • 2252 - NETBIOS SMB-DS DCERPC Remote Activation bind attempt (netbios.rules)
  • 2254 - SMTP XEXCH50 overflow with evasion attempt (deleted.rules)
  • 2257 - NETBIOS DCERPC Messenger Service buffer overflow attempt (netbios.rules)
  • 2258 - NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt (netbios.rules)
  • 2308 - NETBIOS SMB DCERPC Workstation Service unicode bind attempt (netbios.rules)
  • 2309 - NETBIOS SMB DCERPC Workstation Service bind attempt (netbios.rules)
  • 2310 - NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt (netbios.rules)
  • 2311 - NETBIOS SMB-DS DCERPC Workstation Service bind attempt (netbios.rules)
  • 2315 - NETBIOS DCERPC Workstation Service direct service bind attempt (netbios.rules)
  • 2316 - NETBIOS DCERPC Workstation Service direct service access attempt (netbios.rules)
  • 2337 - TFTP PUT filename overflow attempt (tftp.rules)
  • 2372 - WEB-PHP Photopost PHP Pro showphoto.php access (web-php.rules)
  • 2383 - NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt (netbios.rules)
  • 2385 - NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt (netbios.rules)
  • 2402 - NETBIOS SMB-DS Session Setup AndX request username overflow attempt (netbios.rules)
  • 2404 - NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt (netbios.rules)
  • 2372 - WEB-PHP Photopost PHP Pro showphoto.php access (web-php.rules)

Rules Application:

Separate rule packs and application instructions are available for all Sourcefire products. Detailed instructions can be found on the Sourcefire Customer Support Site in the downloads section for each product.

For Assistance:

If you have any questions or require assistance at any time.

• Visit the Sourcefire Customer Support site at https://support.sourcefire.com.
• Email Sourcefire Customer Support at support@sourcefire.com.
• Call Sourcefire Customer Support at 410.423.1901 or 1.800.917.4134.