About admin


Website:
admin has written 37 articles so far, you can find them below.


September Microsoft Bulletins

Filed under Microsoft Security Bulletins by on September 9, 2009 at 1:27 pm {no comments}

IBM/ISS Coverage

http://bit.ly/11xX5Q

MS Bulletin Coverage Coverage Date
MS09-049 Scanner Only 1.59 September, 8 th 2009
MS09-048 XPU’s 20.90, 1.71, 1.72, 28.010,28.150,29.130,

29.030,29.070,29.080

 Multiple dates of coverage. 2006, 2008, 2009
MS09-047 XPU 20.90 September, 8 th 2009
MS09-046 XPU 20.90 September, 8 th 2009
MS09-045 XPU 20.90 September, 8 th 2009

Cisco

http://bit.ly/R1LEj

MS Bulletin Coverage Coverage Date
MS09-049 NA
MS09-048 S430, S248, S431, S242 Multiple dates of coverage
MS09-047 S431 September, 8 th 2009
MS09-046 S431 September, 8 th 2009
MS09-045 S431 September, 8 th 2009

Mcafee

http://bit.ly/4w90TJ

MS Bulletin Signature ID Coverage Date
MS09-049 Foundstone 7110
MS09-048 0x9E00, 7106 September, 8 th 2009, September 9 th, 2009
MS09-047 7108, 7109, 0x40265D00,0x40265E00 September, 8 th 2009, September 9 th, 2009
MS09-046 0×40266900 September, 8 th 2009
MS09-045 7098, 0×40266800 September, 8 th 2009, September 9 th, 2009

Microsoft Security Advisory (975191)

Filed under Microsoft Security Bulletins by on September 3, 2009 at 1:01 pm {no comments}

Microsoft has announced a vulnerability in the IIS FTP service.  This vulnerability allows a stack-based buffer overflow, caused by improper bounds checking by the FTPd service. By sending an overly long NLST command, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.

IPS Vendor Protection Date Link
IBM/ISS yes Jun 6, 2002
Sept 3, 2003		 http://bit.ly/2loiYU
Cisco yes Sept 2, 2009 http://bit.ly/YJ97S
Mcafee yes Aug 31, 2009 No link

It is nice to see IBM/ISS with coverage dating back 6-7 years! The primary signature FTP_Mkd_Overflow was originally developed for a vulnerability in the WS_FTP Server will provide protection for this vulnerability as well, this signature is enabled by default.

Exploit code has been placed on Milw0rm and has been added to MetaSploit.

Blogger Labels: Microsoft,Advisory,FTPd,NLST,attacker,Cisco,Mcafee,coverage,signature,WS_FTP,Exploit,MetaSploit

Detecting bot-nets

Filed under IPS by on August 20, 2009 at 10:52 am {one comment}

We here a lot about the rise of organized crime and the sophistication of the attackers. While this is true, in many cases I still see amateurish type attacks.

While reviewing an IPS I found the following messages. IPS still provides a great way to detect bot-nets and while there is an obvious problem on this network these IRC connections are being blocked by the IPS.

An interesting article related to this can be found here.

IRC Messages

:nick :msg
#usb Infected usb drive: E:

Interesting Nicknames to an IRC channel

VirUs-rigvgunl
VirUs-rflkbvny
VirUs-rexehaxz
VirUs-rcpcmobp
VirUs-rboinhcv
VirUs-raquheuv
VirUs-raozodkn
VirUs-racgucrn
VirUs-quyozuoc
VirUs-qufnunld
VirUs-msubtplz
[03|MEX|XP|981734]
[03|MEX|XP|444546]

Thinking about 10 gig IPS

Filed under IBM, IPS, Mcaffe, Sourcefire by on July 14, 2009 at 12:28 pm {one comment}

I have been looking at 10 gig solutions for IPS and I have to say there is a wide difference in the way the different vendors are doing this.

IBM
Network Security Controller allows for two 10 giga-bit networks to be connected in an active/passive configuration. You would then connect the copper IPS devices to the controller and the controller spreads the load among the connected IPS devices. This would provide IPS with the ability to inspect up to 10 gigabit of traffic assuming the IPS devices connected to it can inspect up to 10 gig. The GX6116 has an inspected throughput of 6 Gbps. IBM has no native 10 giga-bit interfaces on their IPS devices.

Mcafee
Mcafee offers two devices with 10 giga-bit interfaces. The M8000 has 12 10 giga-bit Ethernet ports and a maximum throughput of 10 Gbps, the M6050 has 8 10 giga-bit Ethernet ports with a maximum throughout of 5 Gbps.

Sourcefire
Sourcefire has the 3D9800 with four Fiber 10 Gbps interfaces with up to 10 Gbps line speed and the 3D9900 with 4 10 Gbps SR interfaces. The line speed is up to 10 Gbps.

TippingPoint
The TippingPoint Core Controller has six 10 Gbps Ethernet interfaces(3 segments). This is similar in design to the IBM solution. The controller distributes the load across the connected backend IPS devices. The total inspected bandwidth is dependant on the backend IPS devices.

July Microsoft Security Bullentins

Filed under Microsoft Security Bulletins by on July 14, 2009 at 11:46 am {no comments}

Here is the breakdown from some of the IPS vendors.

TippingPoint Digital Vaccine 7739
Bulletin # TippingPoint Filter #
MS09-028 8196*, 8302, 8307
MS09-029 4062*
MS09-030 8306
MS09-031 8305
MS09-032 8296*, 8317
KB973472 8322

Cisco S414
19383 DirectX Size Validation Vulnerability string-tcp
19384 DirectX Pointer Validation Vulnerability meta
19384.1 DirectX Pointer Validation Vulnerability multi-string
19384.2 DirectX Pointer Validation Vulnerability string-tcp
19401 Microsoft Publisher File Parsing Vulnerability string-tcp
19339.1 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.6 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.7 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.8 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.9 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.2 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.3 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.4 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.5 Microsoft DirectShow msvidctl.dll Code Execution string-tcp

IBM/ISS

MS09-029, MS09-028
Proventia Network IDS XPU 29.070
Proventia Network IPS XPU 29.070
Proventia Network MFS XPU 29.070
Proventia Server IPS for Linux technology 29.070
Proventia Server IPS for Microsoft Windows technology 1.0.914.2410
Proventia Server IPS for Microsoft Windows technology 2.0.300.2410
Proventia-G 1.1 and earlier XPU 29.070
RealSecure Network XPU 29.070
RealSecure Server Sensor XPU 29.070

Welcome

Filed under IPS by on July 13, 2009 at 11:39 am {no comments}

Hello,

This is the first post on the Intrusion Detection and Prevention blog. I plan to post information relating to these technologies, the vendors, etc. I hope you find it useful and interesting.

Page 6 of 7« First...«234567»

Switch to our mobile site