OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tina Bird (tbirdprecision-guesswork.com)
Date: Thu Feb 14 2002 - 22:55:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Here's what I've been able to collect from
    the IDS community:

    The Snort community has created several rules
    specific to the malformed packets created within
    the PROTOS suite. The specifics are on line at:

    http://www.geocrawler.com/lists/3/SourceForge/6752/0/7840200/

    ------------------------------------------------
    Cisco Secure Intrusion Detection System (NetRanger): Specific signatures
    are available to detect the PROTOS tool suite, but the signature IDs have
    not yet been released to the public. NetRanger is known to be vulnerable
    to the SNMP issues; see Cisco's advisory for more information and the
    appropriate Defect ID and intended first fixed releases.

    http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml#noniossw

    The current signature set available for the Cisco IDS is
    dated 14 February, but not does specifically mention the
    PROTOS test suite in its release notes.
    ----------------------------------------------
    Enterasys Dragon: 5 new rules created and submitted to database:
    SNMP:TRAP-FMT-STRING, SNMP:TRAP-FMT-NUMBER, SNMP:BUFFER-TEST,
    SNMP:GET-FMT-NUMBER, SNMP:GET-FMT-STRING. New signatures
    are available at

    https://dragon.enterasys.com/sig-maint/index.html

    Dragon Sensor and Dragon Squire are also both vulnerable
    to the SNMP bugs. Updated versions of Dragon Squire are
    available for registered customers at

    https://dragon.enterasys.com/dragon5-fixes/index.html

    Updates for Dragon Sensor will be released shortly.
    -------------------------------------------
    Network Flight Recorder's Rapid Response Team

    NFR is not vulnerable to the SNMP bugs. New
    signatures are available for registered customers
    at

    http://support.nfr.net
    -------------------------------------------

    ISS has released generic signatures for RealSecure and BlackICE that will
    detect SNMP traffic, but do not appear to be specific for the PROTOS tool:

    http://gtoc.iss.net/snmpalert.pdf
    http://www.iss.net/security_center/alerts/advise110.php

    In environments where SNMP is used for system
    management and monitoring, these signatures will
    create a large number of false positives.

    According to the ISS Web site, they will be releasing
    signatures that are specific to the PROTOS test suite
    shortly.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com