03-31-2007 07:44 AM - edited 03-10-2019 03:32 AM
Snort and ISS have had a signature for this since 2005. Lots of other products appear to detect this as of 2005 as well. Where is the Cisco sig? I found a default disabled/retired sig, (3718-0, Windows .ANI File DoS), but it doesn't appear to work against the latest exploits.
03-31-2007 02:40 PM
Signature 5442-0. Available since s137 (January 2005)
Linked and visible from MySDN:
http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=5384
So far, this fires against all exploits I've seen.
04-02-2007 10:56 AM
Please check the My Self Defending Network link:
It is currently at the top of the page and can be searched for. Here is the Cisco ID: 5384
Pleas use the MYSDN website for security information ther is some good info there.
Regards,
Ray
04-02-2007 10:57 AM
BTW:
Cisco Security Agent has shown to protect against this exploit. It offers some good protection against many DAY Zero exploits without the need for patching per exploit like many AV applications. It works well with AV and is not a replacement for AV.
Regards,
Ray
04-02-2007 11:27 AM
Hi Ray, where is this explained in detail? I'd like to show it to some folks.
I could not find it listed among the security bulletins here:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletins_list.html
Thanks in advance
Tom
04-02-2007 11:52 AM
Ok well first off the signature has information you can review:
http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=5384
Updated Microsoft advisory:
http://www.microsoft.com/technet/security/advisory/935423.mspx
Great eWEEK article with AWESOME links:
CSA info is not posted yet but it should be very shortly.
I hope this helps.
Ray
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: