Re: Server Service Code Execution sig for v4.1 IDS

wgorman · ‎08-14-2006

Is there an IDS signature release for the 4.1 platform for this vulnerability ?

The bulletin only mentions the 5.x platform.

craiwill · ‎08-14-2006

IDS version 4.x doesn't have the capabilities required to detect these vulnerabilities with an acceptable level of fidelity, so we have no plans to release a signature to cover MS06-040 in an official 4.x signature update. This custom sig will work in 4.x but it is much more prone to false positive;the 5.x version uses the meta engine which is not available in 4.x.

String.tcp

service ports: 139,445

regex:

\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88[\x00-\xff]*\x05\x00\x00[\x00-\xff]\x10\x00\x00\x00[\x00-\xff]{5}\x00\x00\x00[\x00-\xff]{6}\x1f\x00([\x00-\xff]?{16})[\x00-\xff]{4}[\x01-\x25]\x00\x00\x00\x00\x00\x00\x00[\x01-\x25]\x00\x00\x00([0-9A-Za-z\x2e]\x00)*\x00\x00[\x00-\xff]{4}\x00\x00\x00\x00(([\x07-\xff][\x02][\x00][\x00])|([\x00-\xff][\x03-\xff][\x00][\x00])|([\x00-\xff][\x00-\xff][^\x00])|([\x00-\xff][\x00-\xff][\x00-\xff][^\x00]))

rmaerz · ‎08-15-2006

So when can the Cisco 2800 series be upgraded to engine 5.x?

I think it's misleading to advertise the 1800, 2800 and 3800 products as security products if signatures cannot be written for them.

wgorman · ‎08-16-2006

According to the bulletin, I see that you have released S245 with SigID 5799.0 which looks like a version for the v4.x platform. Is this correct?

Is it NOT enabled by default because it is prone to False-Positives?