Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

New sendmail exploit signatures

Anyone have a signature for the new remote sendmail exploit?

  • Other Security Subjects
15 REPLIES
Bronze

Re: New sendmail exploit signatures

We are currently building the S42 signature update which will contain signature 3115 to deal with this worm. It will hopefully be done this evening. I will post here again when the package is ready.

Bronze

Re: New sendmail exploit signatures

The S41 package is available for early use at:

ftp://ftpeng.cisco.com/csids-sig-updates/S41/IDS-sig-3.1-3-S41.bin

Signature 3115 covers the Sendmail vulnerability. Mgmt. packages will follow shortly.

New Member

Re: New sendmail exploit signatures

Is the string available anywhere else? I am having problems with this link.

Bronze

Re: New sendmail exploit signatures

Try this instead...

First, goto the following URL:

ftp://ftpeng.cisco.com/csids-sig-updates/S41/

Once there, select either the .bin or .zip file, right-click it and select "Save as..." and download it as you see fit.

I suspect that, like myself, the file is opening in your browser as ASCII text if you follow the link to IDS-sig-3.1-3-S41.bin directly...

Hope this helps out!

New Member

Re: New sendmail exploit signatures

This sig is false alarming on valid exchange server email traffic, anyone else experiencing this?

Thx,

brkn!

New Member

Re: New sendmail exploit signatures

Why is this triggering the alarm? (names changed to protect the innocent)

SENSOR ID: 100

TIME UTC: 2003/03/05 21:16:13 Local: 2003/03/05 15:16:13

SIGID: 3115 "Sendmail Data Header Overflow" LEVEL: 5

SRC IP:PORT: 10.0.0.1:2926

DST IP:PORT: 10.0.2.10:25

MSG: From: user@host...aaaa...

CONTEXT S->D: 600 (CST)..Received: from unknown(XXX.XXX.XXX.XXX) by megarad.foo.com via csmap (2.0)...id srcAAAaeaioX; Wed, 5 Mar 03 15:15:58 -0600..

Message-Id: <200303052116.h25LG3V25247@megarad.foo.com>..From: "...

¢...." <fruity@lame.com.cn>.

New Member

Re: New sendmail exploit signatures

Yes..we are seeing false positives also at SBC DataComm.

New Member

Re: New sendmail exploit signatures

The overflow is triggerd by a large number of <> bracket pairs. I think following custom signature will do the trick:

Current Signature: Engine STRING.TCP SIGID 20020

SigName: Sendmail exploit

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = [\<\>]{100}

12 - ResetAfterIdle = 15

13 - ServicePorts = 25

14 - SigComment =

15 - SigName = Sendmail exploit

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Note it could also be triggerd by multiple single brackets <<< or >>>, but packetd was not working with (\<\>){100}

Bronze

Re: New sendmail exploit signatures

Working with a customer, I have identified at least one false positive in signature 3115. A colon needs to be added to the regex after the To, From, and CC patterns. This will be fixed in sig update S42 for 3.1 sensors. If any one is willing to send traffic samples, you can send them to mcerha@cisco.com, and I'll look at them for you.

166
Views
9
Helpful
15
Replies