Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Server Service Code Execution sig for v4.1 IDS

Is there an IDS signature release for the 4.1 platform for this vulnerability ?

The bulletin only mentions the 5.x platform.

3 REPLIES
Cisco Employee

Re: Server Service Code Execution sig for v4.1 IDS

IDS version 4.x doesn't have the capabilities required to detect these vulnerabilities with an acceptable level of fidelity, so we have no plans to release a signature to cover MS06-040 in an official 4.x signature update. This custom sig will work in 4.x but it is much more prone to false positive;the 5.x version uses the meta engine which is not available in 4.x.

String.tcp

service ports: 139,445

regex:

\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88[\x00-\xff]*\x05\x00\x00[\x00-\xff]\x10\x00\x00\x00[\x00-\xff]{5}\x00\x00\x00[\x00-\xff]{6}\x1f\x00([\x00-\xff]?{16})[\x00-\xff]{4}[\x01-\x25]\x00\x00\x00\x00\x00\x00\x00[\x01-\x25]\x00\x00\x00([0-9A-Za-z\x2e]\x00)*\x00\x00[\x00-\xff]{4}\x00\x00\x00\x00(([\x07-\xff][\x02][\x00][\x00])|([\x00-\xff][\x03-\xff][\x00][\x00])|([\x00-\xff][\x00-\xff][^\x00])|([\x00-\xff][\x00-\xff][\x00-\xff][^\x00]))

New Member

Re: Server Service Code Execution sig for v4.1 IDS

So when can the Cisco 2800 series be upgraded to engine 5.x?

I think it's misleading to advertise the 1800, 2800 and 3800 products as security products if signatures cannot be written for them.

New Member

Re: Server Service Code Execution sig for v4.1 IDS

According to the bulletin, I see that you have released S245 with SigID 5799.0 which looks like a version for the v4.x platform. Is this correct?

Is it NOT enabled by default because it is prone to False-Positives?

136
Views
0
Helpful
3
Replies
CreatePlease login to create content