https://community.extremenetworks.com/t5/end-of-service-products/new-dragon-ips-signature-release/m-p/25029#M602 The following NIDS signature updates are available via liveupdate for Dragon versions 7.x/8.x:<BR /> <BR /> <BR /> <BR /> IIS:WEBDAV-REMOTE-CODE<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in the Microsoft IIS server on Windows XP and Windows 2003 that may lead to remote code execution. The vulnerability is in the processing of specific HTTP headers within IIS. Microsoft has released a patch for this vulnerability.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py" target="_blank" rel="nofollow noreferrer noopener">http://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server" target="_blank" rel="nofollow noreferrer noopener">https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024107" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024107</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-7269<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:KERBEROS-PRIV-ESCAL<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for pykek toolkit being used to exploit this vulnerability. <BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms14-068.aspx" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms14-068.aspx</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://github.com/bidord/pykek" target="_blank" rel="nofollow noreferrer noopener">http://github.com/bidord/pykek</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2019897" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2019897</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2014-6324<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:KERBEROS-PRIV-ESCAL-2<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for impacket being used to exploit this vulnerability. <BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms14-068.aspx" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms14-068.aspx</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py" target="_blank" rel="nofollow noreferrer noopener">http://code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2019922" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2019922</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2014-6324<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMB-REQUEST-REMOTE<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024297" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024297</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0143<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMB2-PROCESSID-NEGOTIATE<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMBv2 packets. Microsoft has released a patch (MS09-050) for this vulnerability.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://www.exploit-db.com/exploits/14674/" target="_blank" rel="nofollow noreferrer noopener">http://www.exploit-db.com/exploits/14674/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx" target="_blank" rel="nofollow noreferrer noopener">http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2012063" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2012063</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2009-3103<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMBV1-REQUEST-REMOTE<BR /> <BR /> UPDATE-TYPE: Modified Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024217" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024217</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0144<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMBV1-REQUEST-REMOTE2<BR /> <BR /> UPDATE-TYPE: Modified Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. There are other signatures that depend on this signature being enabled.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024220" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024220</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0144<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMBV1-RESPONSE-REMOTE<BR /> <BR /> UPDATE-TYPE: Modified Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. This signature tests for the "smbv1.remote" FlowTag being set before generating an event on network traffic. This FlowTag is defined by the MS:SMBV1-REQUEST-REMOTE signature, which is required for this signature to generate an event.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024218" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024218</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0144<BR /> <BR /> <BR /> <BR /> Wed, 28 Jun 2017 15:41:00 GMT Dudley__Jeff 2017-06-28T15:41:00Z https://community.extremenetworks.com/t5/end-of-service-products/new-dragon-ips-signature-release/m-p/25029#M602 The following NIDS signature updates are available via liveupdate for Dragon versions 7.x/8.x:<BR /> <BR /> <BR /> <BR /> IIS:WEBDAV-REMOTE-CODE<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in the Microsoft IIS server on Windows XP and Windows 2003 that may lead to remote code execution. The vulnerability is in the processing of specific HTTP headers within IIS. Microsoft has released a patch for this vulnerability.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py" target="_blank" rel="nofollow noreferrer noopener">http://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server" target="_blank" rel="nofollow noreferrer noopener">https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024107" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024107</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-7269<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:KERBEROS-PRIV-ESCAL<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for pykek toolkit being used to exploit this vulnerability. <BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms14-068.aspx" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms14-068.aspx</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://github.com/bidord/pykek" target="_blank" rel="nofollow noreferrer noopener">http://github.com/bidord/pykek</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2019897" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2019897</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2014-6324<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:KERBEROS-PRIV-ESCAL-2<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for impacket being used to exploit this vulnerability. <BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms14-068.aspx" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms14-068.aspx</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py" target="_blank" rel="nofollow noreferrer noopener">http://code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2019922" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2019922</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2014-6324<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMB-REQUEST-REMOTE<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024297" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024297</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0143<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMB2-PROCESSID-NEGOTIATE<BR /> <BR /> UPDATE-TYPE: New Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMBv2 packets. Microsoft has released a patch (MS09-050) for this vulnerability.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://www.exploit-db.com/exploits/14674/" target="_blank" rel="nofollow noreferrer noopener">http://www.exploit-db.com/exploits/14674/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx" target="_blank" rel="nofollow noreferrer noopener">http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2012063" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2012063</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2009-3103<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMBV1-REQUEST-REMOTE<BR /> <BR /> UPDATE-TYPE: Modified Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024217" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024217</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0144<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMBV1-REQUEST-REMOTE2<BR /> <BR /> UPDATE-TYPE: Modified Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. There are other signatures that depend on this signature being enabled.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024220" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024220</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0144<BR /> <BR /> <BR /> <BR /> <BR /> <BR /> MS:SMBV1-RESPONSE-REMOTE<BR /> <BR /> UPDATE-TYPE: Modified Signature<BR /> <BR /> CLASSIFICATION: BETA<BR /> <BR /> DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. This signature tests for the "smbv1.remote" FlowTag being set before generating an event on network traffic. This FlowTag is defined by the MS:SMBV1-REQUEST-REMOTE signature, which is required for this signature to generate an event.<BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/" target="_blank" rel="nofollow noreferrer noopener">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/</A><BR /> <BR /> REFERENCE: URLREF<BR /> <BR /> <A href="http://docs.emergingthreats.net/2024218" target="_blank" rel="nofollow noreferrer noopener">http://docs.emergingthreats.net/2024218</A><BR /> <BR /> REFERENCE: CVE<BR /> <BR /> CVE-2017-0144<BR /> <BR /> <BR /> <BR /> Wed, 28 Jun 2017 15:41:00 GMT https://community.extremenetworks.com/t5/end-of-service-products/new-dragon-ips-signature-release/m-p/25029#M602 Dudley__Jeff 2017-06-28T15:41:00Z