03-03-2003 11:47 AM - edited 03-09-2019 02:20 AM
Anyone have a signature for the new remote sendmail exploit?
03-03-2003 05:48 PM
We are currently building the S42 signature update which will contain signature 3115 to deal with this worm. It will hopefully be done this evening. I will post here again when the package is ready.
03-03-2003 10:38 PM
The S41 package is available for early use at:
ftp://ftpeng.cisco.com/csids-sig-updates/S41/IDS-sig-3.1-3-S41.bin
Signature 3115 covers the Sendmail vulnerability. Mgmt. packages will follow shortly.
03-04-2003 08:01 AM
Is the string available anywhere else? I am having problems with this link.
03-04-2003 10:15 AM
Try this instead...
First, goto the following URL:
ftp://ftpeng.cisco.com/csids-sig-updates/S41/
Once there, select either the .bin or .zip file, right-click it and select "Save as..." and download it as you see fit.
I suspect that, like myself, the file is opening in your browser as ASCII text if you follow the link to IDS-sig-3.1-3-S41.bin directly...
Hope this helps out!
03-05-2003 01:45 PM
This sig is false alarming on valid exchange server email traffic, anyone else experiencing this?
Thx,
brkn!
03-05-2003 01:59 PM
Why is this triggering the alarm? (names changed to protect the innocent)
SENSOR ID: 100
TIME UTC: 2003/03/05 21:16:13 Local: 2003/03/05 15:16:13
SIGID: 3115 "Sendmail Data Header Overflow" LEVEL: 5
SRC IP:PORT: 10.0.0.1:2926
DST IP:PORT: 10.0.2.10:25
MSG: From: user@host...aaaa...
CONTEXT S->D: 600 (CST)..Received: from unknown(XXX.XXX.XXX.XXX) by megarad.foo.com via csmap (2.0)...id srcAAAaeaioX; Wed, 5 Mar 03 15:15:58 -0600..
Message-Id: <200303052116.h25LG3V25247@megarad.foo.com>..From: "...
¢...." <fruity@lame.com.cn>.
03-06-2003 01:22 PM
Yes..we are seeing false positives also at SBC DataComm.
03-05-2003 04:50 AM
The overflow is triggerd by a large number of <> bracket pairs. I think following custom signature will do the trick:
Current Signature: Engine STRING.TCP SIGID 20020
SigName: Sendmail exploit
___________________________________________________________________________
0 - Edit ALL Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireOnce
3 - ChokeThreshold =
4 - Direction = ToService
5 - FlipAddr =
6 - LimitSummary =
7 - MaxInspectLength =
8 - MinHits = 1
9 - MinMatchLength =
10 - MultipleHits =
11 * RegexString = [\<\>]{100}
12 - ResetAfterIdle = 15
13 - ServicePorts = 25
14 - SigComment =
15 - SigName = Sendmail exploit
16 - SigStringInfo =
17 - StripTelnetOptions =
18 - ThrottleInterval = 15
19 - WantFrag =
d - Delete a value
u - UNDO and continue
x - SAVE and continue
___________________________________________________________________________
Note it could also be triggerd by multiple single brackets <<< or >>>, but packetd was not working with (\<\>){100}
03-06-2003 03:46 PM
Working with a customer, I have identified at least one false positive in signature 3115. A colon needs to be added to the regex after the To, From, and CC patterns. This will be fixed in sig update S42 for 3.1 sensors. If any one is willing to send traffic samples, you can send them to mcerha@cisco.com, and I'll look at them for you.
03-07-2003 06:44 AM
Any ETA for S42 -- we need this sig functioning.
thx,
-brkn!
03-10-2003 02:11 AM
Same here.
And we'd also like to know what is the exact detecting strings for the SigID 3115
on S41 since we are experiencing lots of alerts which looks like benigned.
If you look into the SigWizMenu, it doesn't look like there's a regex string or so.
Thank you.
03-10-2003 03:04 PM
S42 should be posted to CCO this afternoon.
03-12-2003 09:02 AM
Are you talking about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337?
Anyway last sensor version available in CCO is S40 even if I received Cisco IDS Active Update Bulletin #51 announcing S41. Please help.
03-12-2003 11:26 AM
Yes, this is the vulnerability. Also, S42 has been on CCO for over a day now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide