Domain: bleedingsnort.com
Stories and comments across the archive that link to bleedingsnort.com.
Comments · 8
-
Snort signatures here:
-
snort signatures for network admins
Snort signatures for the google desktop and download of google desktop can be found here.
If you're really worried. -
IDS signaturesThe Microsoft advisory says:
** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?
While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.
Snort sigs have been available from BleedingSnort for some time now; I pushed them out to our corporate IDS yesterday morning.
(Warning, mangled by Slashcode - remove newlines)
#by mmlange alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_met afile.pm.php; classtype:attempted-user; sid:2002734; rev:1;)
# By Frank Knobbe, 2005-12-28 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|01 00 09 00 00 03|"; depth:500; content:"|00 00|"; distance:10; within:12; content:"|26 06 09 00|"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/20 05/3086; sid:2002733; rev:1;)Once again it looks like Microsoft are going to escape the 'perfect exploit' meltdown by the skin of their teeth. This is exploitable remotely, but Dr Evil can't sit at a console typing in arbitrary IP addresses to 0wn with the exploit. On the other hand you can get close to that sort of thing using Metasploit Framework.
-
Bleeding snort rules here:
-
Spyware
One of your biggest problems is going to be spyware, do yourself a favor and setup a DNS blackhole. We've set this up here at the Iberia Parish school district in Louisiana and love it.
Get some kind of imaging software like Symantec Ghost, try to keep your software installations as identical as possible.
Give each user a share on the server and make them save their documents there instead of on their hard drive (you can redirect My Documents to a share with Group Policies). Makes recovery much easier when you need to replace a hard drive, or re-image a Windows install that's overridden with viruses/spyware/etc.
Leave Windows on the workstations, but install Linux on old servers to be used for DNS/web caching/samba/whatever.
When you setup your firewall be sure to block the ports of AIM/Yahoo/MSN/IRC/Kazaa/Gnutella/and whatever else you can think of. If you don't, I can promise you the students will do nothing but chat and download music all day. -
MarketScore is included on the Black Hole DNS List
anti-spyware utility manufacturers are still thinking whether to include it on their list
If you use the blackhole dns list of spyware domains from bleedingsnort.com its already included based on this submission from doxdesk. Squid ACLs are a great way to stop these parasites and you don't have to wait for anti-spyware manufacturers to decide whether its spyware or not. Also ClamAV lets you create your own signatures so you can setup rules to detect anything you consider to be spyware. -
detection of botnets
For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort
Look for IRC rules that are non-standard ports. Very easy to run. -
Re:Good, it was stupid
Effectively you are proposing to DDOS spamming machines. And if those servers have been subverted and are running as zombies?
Then the zombie PC will be disabled.
And if the DDOS takes down a bunch of legitimate servers upstream of the zombie?
Then networks will be greatly encouraged to deal with their zombie clients.
And if the DDOS financially damages a company who had a server subverted through no fault of their own?
See above
It's not like the spammers wouldn't instantly switch to a different server anyway...
Again, see above - if networks dealt with zombie PCs quickly then the 419ers wouldn't be have other systems to move to.I'm a sysadmin for a number of decent sized networks. I put a lot of effort into automated detection and isolation of trojaned machines (thanks in part to the excellent signatures at Bleeding Snort). Unfortunately, there isn't the will or the funding for this sort of activity at many companies. This DDoS tool would certainly provide the impetus.