Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SMB DOS sig

Greetings, has anyone come up with a custom sig that will catch the MS02-045 (Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830)) attack yet?

I have not seen much out there yet.

thx much, sam

1 REPLY
New Member

Re: SMB DOS sig

Sorry for the delay in this custom signature. There were some issues with false positives that we wanted to eliminate before releasing.

The following signature will be part of the S31 signature update:

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20000

SigName: SMB Enum Share DoS

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = ....\xff\x53\x4d\x42\x25[\x00-\xff]{32}\x00\x00\x00\x00[\x00-\xff]{22}[^\x00]*\x00[\x00\xd7\x68]\x00\x57

12 - ResetAfterIdle = 15

13 - ServicePorts = 139,445

14 - SigComment =

15 - SigName = SMB Enum Share DoS

16 - SigStringInfo = SMBdie

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Selection>

99
Views
0
Helpful
1
Replies
CreatePlease to create content