[logs] IDS signatures for PROTOS SNMP tests

From: Tina Bird (tbird@precision-guesswork.com)
Date: Thu Feb 14 2002 - 20:58:42 PST

  • Next message: Wyatt, Kenny, ITS: "RE: [logs] NT/WT Log Synch?"

    This is a little bit off topic, but since
    I've but it together -- and it's my list,
    so I can be off topic if I want to -- 
    here's what IDS vendors have gotten together
    for the SNMP vulnerabilities.
    
    tbird
    
    ---------- Forwarded message ----------
    Date: Thu, 14 Feb 2002 22:55:57 -0600 (CST)
    From: Tina Bird <tbird@precision-guesswork.com>
    To: incidentsat_private
    Cc: tbirdat_private
    Subject: IDS signatures for PROTOS SNMP tests
    
    Here's what I've been able to collect from
    the IDS community:
    
    The Snort community has created several rules
    specific to the malformed packets created within
    the PROTOS suite.  The specifics are on line at:
    
    http://www.geocrawler.com/lists/3/SourceForge/6752/0/7840200/
    
    ------------------------------------------------
    Cisco Secure Intrusion Detection System (NetRanger): Specific signatures 
    are available to detect the PROTOS tool suite, but the signature IDs have 
    not yet been released to the public. NetRanger is known to be vulnerable 
    to the SNMP issues; see Cisco's advisory for more information and the 
    appropriate Defect ID and intended first fixed releases. 
    
    http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml#noniossw
    
    The current signature set available for the Cisco IDS is
    dated 14 February, but not does specifically mention the
    PROTOS test suite in its release notes.
    ----------------------------------------------
    Enterasys Dragon: 5 new rules created and submitted to database: 
    SNMP:TRAP-FMT-STRING, SNMP:TRAP-FMT-NUMBER, SNMP:BUFFER-TEST, 
    SNMP:GET-FMT-NUMBER, SNMP:GET-FMT-STRING.  New signatures
    are available at
    
    https://dragon.enterasys.com/sig-maint/index.html
    
    Dragon Sensor and Dragon Squire are also both vulnerable
    to the SNMP bugs.  Updated versions of Dragon Squire are 
    available for registered customers at 
    
    https://dragon.enterasys.com/dragon5-fixes/index.html
    
    Updates for Dragon Sensor will be released shortly.
    -------------------------------------------
    Network Flight Recorder's Rapid Response Team
    
    NFR is not vulnerable to the SNMP bugs.  New 
    signatures are available for registered customers
    at 
    
    http://support.nfr.net
    ------------------------------------------- 
    
    ISS has released generic signatures for RealSecure and BlackICE that will 
    detect SNMP traffic, but do not appear to be specific for the PROTOS tool: 
    
    http://gtoc.iss.net/snmpalert.pdf
    http://www.iss.net/security_center/alerts/advise110.php
    
    In environments where SNMP is used for system
    management and monitoring, these signatures will
    create a large number of false positives.
    
    According to the ISS Web site, they will be releasing
    signatures that are specific to the PROTOS test suite
    shortly.
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 22:17:58 PST