New sendmail exploit signatures

brok3n · ‎03-03-2003

Anyone have a signature for the new remote sendmail exploit?

mcerha · ‎03-03-2003

We are currently building the S42 signature update which will contain signature 3115 to deal with this worm. It will hopefully be done this evening. I will post here again when the package is ready.

mcerha · ‎03-03-2003

The S41 package is available for early use at:

ftp://ftpeng.cisco.com/csids-sig-updates/S41/IDS-sig-3.1-3-S41.bin

Signature 3115 covers the Sendmail vulnerability. Mgmt. packages will follow shortly.

ljones · ‎03-04-2003

Is the string available anywhere else? I am having problems with this link.

a.arndt · ‎03-04-2003

Try this instead...

First, goto the following URL:

ftp://ftpeng.cisco.com/csids-sig-updates/S41/

Once there, select either the .bin or .zip file, right-click it and select "Save as..." and download it as you see fit.

I suspect that, like myself, the file is opening in your browser as ASCII text if you follow the link to IDS-sig-3.1-3-S41.bin directly...

Hope this helps out!

brok3n · ‎03-05-2003

This sig is false alarming on valid exchange server email traffic, anyone else experiencing this?

Thx,

brkn!

brok3n · ‎03-05-2003

Why is this triggering the alarm? (names changed to protect the innocent)

SENSOR ID: 100

TIME UTC: 2003/03/05 21:16:13 Local: 2003/03/05 15:16:13

SIGID: 3115 "Sendmail Data Header Overflow" LEVEL: 5

SRC IP:PORT: 10.0.0.1:2926

DST IP:PORT: 10.0.2.10:25

MSG: From: user@host...aaaa...

CONTEXT S->D: 600 (CST)..Received: from unknown(XXX.XXX.XXX.XXX) by megarad.foo.com via csmap (2.0)...id srcAAAaeaioX; Wed, 5 Mar 03 15:15:58 -0600..

Message-Id: <200303052116.h25LG3V25247@megarad.foo.com>..From: "...

¢...." <fruity@lame.com.cn>.

8rpalmer · ‎03-06-2003

Yes..we are seeing false positives also at SBC DataComm.

pheuch · ‎03-05-2003

The overflow is triggerd by a large number of <> bracket pairs. I think following custom signature will do the trick:

Current Signature: Engine STRING.TCP SIGID 20020

SigName: Sendmail exploit

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = [\<\>]{100}

12 - ResetAfterIdle = 15

13 - ServicePorts = 25

14 - SigComment =

15 - SigName = Sendmail exploit

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Note it could also be triggerd by multiple single brackets <<< or >>>, but packetd was not working with (\<\>){100}

mcerha · ‎03-06-2003

Working with a customer, I have identified at least one false positive in signature 3115. A colon needs to be added to the regex after the To, From, and CC patterns. This will be fixed in sig update S42 for 3.1 sensors. If any one is willing to send traffic samples, you can send them to mcerha@cisco.com, and I'll look at them for you.

brok3n · ‎03-07-2003

Any ETA for S42 -- we need this sig functioning.

thx,

-brkn!

kentanu · ‎03-10-2003

Same here.

And we'd also like to know what is the exact detecting strings for the SigID 3115

on S41 since we are experiencing lots of alerts which looks like benigned.

If you look into the SigWizMenu, it doesn't look like there's a regex string or so.

Thank you.

mcerha · ‎03-10-2003

S42 should be posted to CCO this afternoon.

vidals · ‎03-12-2003

Are you talking about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337?

Anyway last sensor version available in CCO is S40 even if I received Cisco IDS Active Update Bulletin #51 announcing S41. Please help.

mcerha · ‎03-12-2003

Yes, this is the vulnerability. Also, S42 has been on CCO for over a day now.