11-30-2001 08:59 AM - edited 03-08-2019 09:18 PM
Hi,
Is it possible to write custome sigantures to address this new ftp vulnerability as well as badtran worm.
regards,
Ross
11-30-2001 01:29 PM
Hi Ross,
Here is a screenshot of the parameters you will need to enter in SigWiz Menu for the wu-ftpd vulnerability.
Current Signature: Engine STRING.TCP SIGID 20000
SigName: wu-ftpd heap corruption
___________________________________________________________________________
0 - Edit ALL Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireOnce
3 - ChokeThreshold =
4 - Direction = ToService
5 - FlipAddr =
6 - MaxInspectLength =
7 - MinHits = 1
8 - MinMatchLength =
9 - MultipleHits =
10 * RegexString = [ \t][~].*[{][^}]*[\r\n]
11 - ResetAfterIdle = 15
12 - ServicePorts = 21
13 - SigComment =
14 - SigName = wu-ftpd heap corruption
15 - SigStringInfo = Unbalanced {
16 - StripTelnetOptions =
17 - ThrottleInterval = 15
18 - WantFrag =
d - Delete a value
u - UNDO and continue
x - SAVE and continue
We are currently working on the badtrans virus and will let you know as soon as it is ready
Rohit
Note: The first square backet in the regex has a white space followed by \t.[ \t]
12-03-2001 07:20 AM
Would you please clarify for the novice where I set these settings? I have not created my own signatures yet and I am interested in doing so.
Thank you,
Chris
12-03-2001 07:51 AM
Use the SigWiz utility that comes with the 3.0 IDS product. It takes the parameters listed and generates the appropriate configuration file entries.
You can check the config file to see what it auto-generated for you.
12-03-2001 11:56 AM
For more information on using SigWizMenu refer to:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/12216_02.htm#xtocid1115818
The section on Adding New Custom Signatures is what you are asking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide