New Dragon IPS signature release.

  • 0
  • 2
  • Article
  • Updated 1 year ago

The following NIDS signature updates are available via liveupdate for Dragon versions 7.x/8.x:

 

IIS:WEBDAV-REMOTE-CODE

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in the Microsoft IIS server on Windows XP and Windows 2003 that may lead to remote code execution. The vulnerability is in the processing of specific HTTP headers within IIS. Microsoft has released a patch for this vulnerability.

REFERENCE: URLREF

http://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py

REFERENCE: URLREF

https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server

REFERENCE: URLREF

http://docs.emergingthreats.net/2024107

REFERENCE: CVE

CVE-2017-7269

 

 

MS:KERBEROS-PRIV-ESCAL

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for pykek toolkit being used to exploit this vulnerability.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms14-068.aspx

REFERENCE: URLREF

http://github.com/bidord/pykek

REFERENCE: URLREF

http://docs.emergingthreats.net/2019897

REFERENCE: CVE

CVE-2014-6324

 

 

MS:KERBEROS-PRIV-ESCAL-2

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for impacket being used to exploit this vulnerability.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms14-068.aspx

REFERENCE: URLREF

http://code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py

REFERENCE: URLREF

http://docs.emergingthreats.net/2019922

REFERENCE: CVE

CVE-2014-6324

 

 

MS:SMB-REQUEST-REMOTE

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024297

REFERENCE: CVE

CVE-2017-0143

 

 

MS:SMB2-PROCESSID-NEGOTIATE

UPDATE-TYPE: New Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMBv2 packets. Microsoft has released a patch (MS09-050) for this vulnerability.

REFERENCE: URLREF

http://www.exploit-db.com/exploits/14674/

REFERENCE: URLREF

http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx

REFERENCE: URLREF

http://docs.emergingthreats.net/2012063

REFERENCE: CVE

CVE-2009-3103

 

 

MS:SMBV1-REQUEST-REMOTE

UPDATE-TYPE: Modified Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024217

REFERENCE: CVE

CVE-2017-0144

 

 

MS:SMBV1-REQUEST-REMOTE2

UPDATE-TYPE: Modified Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. There are other signatures that depend on this signature being enabled.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024220

REFERENCE: CVE

CVE-2017-0144

 

 

MS:SMBV1-RESPONSE-REMOTE

UPDATE-TYPE: Modified Signature

CLASSIFICATION: BETA

DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. This signature tests for the "smbv1.remote" FlowTag being set before generating an event on network traffic. This FlowTag is defined by the MS:SMBV1-REQUEST-REMOTE signature, which is required for this signature to generate an event.

REFERENCE: URLREF

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/

REFERENCE: URLREF

http://docs.emergingthreats.net/2024218

REFERENCE: CVE

CVE-2017-0144

Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 934 Points 500 badge 2x thumb

Posted 1 year ago

  • 0
  • 2

Be the first to post a reply!