This is a little bit off topic, but since I've but it together -- and it's my list, so I can be off topic if I want to -- here's what IDS vendors have gotten together for the SNMP vulnerabilities. tbird ---------- Forwarded message ---------- Date: Thu, 14 Feb 2002 22:55:57 -0600 (CST) From: Tina Bird <tbird@precision-guesswork.com> To: incidentsat_private Cc: tbirdat_private Subject: IDS signatures for PROTOS SNMP tests Here's what I've been able to collect from the IDS community: The Snort community has created several rules specific to the malformed packets created within the PROTOS suite. The specifics are on line at: http://www.geocrawler.com/lists/3/SourceForge/6752/0/7840200/ ------------------------------------------------ Cisco Secure Intrusion Detection System (NetRanger): Specific signatures are available to detect the PROTOS tool suite, but the signature IDs have not yet been released to the public. NetRanger is known to be vulnerable to the SNMP issues; see Cisco's advisory for more information and the appropriate Defect ID and intended first fixed releases. http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml#noniossw The current signature set available for the Cisco IDS is dated 14 February, but not does specifically mention the PROTOS test suite in its release notes. ---------------------------------------------- Enterasys Dragon: 5 new rules created and submitted to database: SNMP:TRAP-FMT-STRING, SNMP:TRAP-FMT-NUMBER, SNMP:BUFFER-TEST, SNMP:GET-FMT-NUMBER, SNMP:GET-FMT-STRING. New signatures are available at https://dragon.enterasys.com/sig-maint/index.html Dragon Sensor and Dragon Squire are also both vulnerable to the SNMP bugs. Updated versions of Dragon Squire are available for registered customers at https://dragon.enterasys.com/dragon5-fixes/index.html Updates for Dragon Sensor will be released shortly. ------------------------------------------- Network Flight Recorder's Rapid Response Team NFR is not vulnerable to the SNMP bugs. New signatures are available for registered customers at http://support.nfr.net ------------------------------------------- ISS has released generic signatures for RealSecure and BlackICE that will detect SNMP traffic, but do not appear to be specific for the PROTOS tool: http://gtoc.iss.net/snmpalert.pdf http://www.iss.net/security_center/alerts/advise110.php In environments where SNMP is used for system management and monitoring, these signatures will create a large number of false positives. According to the ISS Web site, they will be releasing signatures that are specific to the PROTOS test suite shortly. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 22:17:58 PST