Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
20
Helpful
5
Replies

MS .ANI Exploit

mhellman
Level 7
Level 7

‎03-31-2007 07:44 AM - edited ‎03-10-2019 03:32 AM

Snort and ISS have had a signature for this since 2005. Lots of other products appear to detect this as of 2005 as well. Where is the Cisco sig? I found a default disabled/retired sig, (3718-0, Windows .ANI File DoS), but it doesn't appear to work against the latest exploits.

Labels:
0 Helpful
5 Replies 5

wsulym
Cisco Employee
Cisco Employee

‎03-31-2007 02:40 PM

Signature 5442-0. Available since s137 (January 2005)

Linked and visible from MySDN:

http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=5384

So far, this fires against all exploits I've seen.

Raymond Aragon
Level 1
Level 1

‎04-02-2007 10:56 AM

Please check the My Self Defending Network link:

www.mysdn.com

It is currently at the top of the page and can be searched for. Here is the Cisco ID: 5384

Pleas use the MYSDN website for security information ther is some good info there.

Regards,

Ray

Raymond Aragon
Level 1
Level 1
In response to Raymond Aragon

‎04-02-2007 10:57 AM

BTW:

Cisco Security Agent has shown to protect against this exploit. It offers some good protection against many DAY Zero exploits without the need for patching per exploit like many AV applications. It works well with AV and is not a replacement for AV.

Regards,

Ray

tsteger1
Level 8
Level 8
In response to Raymond Aragon

‎04-02-2007 11:27 AM

Hi Ray, where is this explained in detail? I'd like to show it to some folks.

I could not find it listed among the security bulletins here:

http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletins_list.html

Thanks in advance

Tom

0 Helpful

Raymond Aragon
Level 1
Level 1
In response to tsteger1

‎04-02-2007 11:52 AM

Ok well first off the signature has information you can review:

http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=5384

Updated Microsoft advisory:

http://www.microsoft.com/technet/security/advisory/935423.mspx

Great eWEEK article with AWESOME links:

http://securitywatch.eweek.com/exploits_and_attacks/ani_zero_day_takes_new_turns_to_the_ubernasty.html?kc=EWEWEMNL040207EP37A

CSA info is not posted yet but it should be very shortly.

I hope this helps.

Ray

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card