SMB DOS sig

sangelo · ‎08-27-2002

Greetings, has anyone come up with a custom sig that will catch the MS02-045 (Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830)) attack yet?

I have not seen much out there yet.

thx much, sam

anthall · ‎08-30-2002

Sorry for the delay in this custom signature. There were some issues with false positives that we wanted to eliminate before releasing.

The following signature will be part of the S31 signature update:

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20000

SigName: SMB Enum Share DoS

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = ....\xff\x53\x4d\x42\x25[\x00-\xff]{32}\x00\x00\x00\x00[\x00-\xff]{22}[^\x00]*\x00[\x00\xd7\x68]\x00\x57

12 - ResetAfterIdle = 15

13 - ServicePorts = 139,445

14 - SigComment =

15 - SigName = SMB Enum Share DoS

16 - SigStringInfo = SMBdie

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Selection>