Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
2
Replies

Additional Custom Signature for the SysV /bin/login Overflow

mcerha
Level 3
Level 3

‎01-04-2002 08:26 PM - edited ‎03-08-2019 09:30 PM

This is a new custom signature entry for the recent SysV /bin/login Buffer Overflow referenced in CERT Advisory CA-2001-34. This signature is provided as a supplement to S13 signatures 3403 and 3501 to better detect any attacks. It will be incorporated into a future signature update. Listed below is a sample screenshot of the output of the SigWizMenu tool. Please refer to the sensor Release Notes for instructions on how to use the SigWizMenu tool to add a custom signature.

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20000

SigName: SysV /bin/login Overflow

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - MaxInspectLength =

7 - MinHits = 1

8 - MinMatchLength =

9 - MultipleHits =

10 * RegexString = ([ \t][^ =\r\n]*[=][^ =\r\n][\x00-x7F]*){5}[\x00-\xff]*[\x80-\xff]

11 - ResetAfterIdle = 15

12 - ServicePorts = 23,513

13 - SigComment =

14 - SigName = SysV /bin/login Overflow

15 - SigStringInfo = /bin/login x1=1 x2=2...

16 - StripTelnetOptions = TRUE

17 - ThrottleInterval =

18 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Labels:
0 Helpful
2 Replies 2

dlac455
Level 1
Level 1

‎01-08-2002 07:26 AM

How should we manage custom signatures over the long term? Are they added to subsequent signature releases? If so, should we then go back and remove the custom ones at some point?

0 Helpful

anthall
Level 1
Level 1
In response to dlac455

‎01-11-2002 02:42 PM

All custom signatures are included in later releases. Once a signature update is release, all prior custom signatures should be covered in the release. The custom signature releases are used only for signatures that have serious 0-day implications and cannot wait for the usual two week release. Those signatures then make it into the next signature update.

0 Helpful
Customers Also Viewed These Support Documents