12-21-2001 12:51 PM - edited 03-08-2019 09:27 PM
Below is a custom signature for the recent Windows UPnP Service buffer overflow referenced by CERT Advisory CA-2001-37. The information is presented as a 'SigWizMenu' screenshot. The signature can be added to a sensor using the 'SigWizMenu' tool. Please see the sensor release notes for more information regarding adding custom signatures.
Tune Signature Parameters : CSIDS Signature Wizard
___________________________________________________________________________
Current Signature: Engine STRING.UDP SIGID 20000
SigName: UPnP LOCATION Overflow
___________________________________________________________________________
0 - Edit ALL Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireOnce
3 - ChokeThreshold =
4 - Direction = ToService
5 - FlipAddr =
6 - LimitSummary =
7 - MaxInspectLength =
8 - MinHits =
9 * RegexString = [Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn][:]([^\n\r]){116}.*[\r\n]
10 - ResetAfterIdle = 15
11 * ServicePorts = 1900
12 - SigComment =
13 - SigName = UPnP LOCATION Overflow
14 - SigStringInfo = LOCATION <100+ Chars>
15 - ThrottleInterval = 15
16 - WantFrag =
d - Delete a value
u - UNDO and continue
x - SAVE and continue
___________________________________________________________________________
12-28-2001 06:21 AM
Is this signature included in either the S12 or S13 updates?
12-28-2001 06:59 AM
Unfortunately no. The exploit was not announced until after we had already shipped the S13 update. It will be included in S14.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide