Trying to add a new rule to cover the new ANI exploit. I've never added a rule before, so hoping that someone here can answer a questions about what goes where. Using http://portal.knowledgebase.net/display/2/kb/article.asp?aid=118063&n=5&s=1 as guidance.
From a source I consider reputable, I've seen the following rule recommended:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,to_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1[;)]
Following the Astaro KB article, when creating the new rule:
Description: BLEEDING-EDGE CURRENT EVENTS MS ANI exploit
Selector: tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
Filter: flow:established,to_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”;
Do I leave off everything after that (classtype through rev), or can I leave all of that reference information on making the Filter entry:
flow:established,to_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;
Thanks.
This thread was automatically locked due to age.
