03-12-2003 08:30 PM - edited 03-09-2019 02:29 AM
Could you please give me some insight into how this signature works? I'd like to know what exactly makes it trigger so that my customer can look for that sort of traffic and hopefully take care of it.
Thank you.
03-13-2003 03:24 PM
The following link explains the windows locator service overflow vulnerability.
http://www.cert.org/advisories/CA-2003-03.html
This will give you some idea as to what is triggering it.
03-13-2003 04:11 PM
Due to certain conditions, we're not able to disclose what exactly the signature is looking for, but I can make two suggestions. Filter this alarm so that it only fires for the domain controllers in the network as destinations. Normally, only domain controllers run the Locator service. Second, in an actual attack, you will see the request for the "\locator" named pipe prior to the attack being sent. I hope this helps.
03-17-2003 01:43 PM
This filtering recommendation is not in the NSDB. Can that be updated to include this information?
03-17-2003 03:48 PM
Yes, I will do it in the S43 sig update. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide