Cisco Intrusion Prevention System Signature Update S313 January 08, 2008 Copyright (C) 1999-2007 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== S313 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IMPORTANT NOTES - MINIMUM REQUIRED VERSION IS NOW 5.1-5-E1 - ANNOUNCING AVAILABILITY OF IPS VERSIONS 6.0(3)E1 & 5.1(7)E1 SERVICE PACKS IPS 5.1(5)E1 AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS - INSTALLATION - UNINSTALLATION - CAVEATS IPS 5.x EVENT VIEWER SUPPORT S279-S312 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== S313 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6171.0 HP Info Center HPInfoDLL.dll ActiveX Control Remote Code Execution STRING-TCP High True 6224.0 Windows IGMP Overflow ATOMIC-IP High True 6755.0 Windows Remote Kernel TCP/IP ICMP Vulnerability ATOMIC-IP Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== IMPORTANT NOTES MINIMUM REQUIRED VERSION IS NOW 5.1-5-E1 Beginning with S288, customers must be running IPS version 5.1-5-E1 or later to install signature updates. Signature updates on sensors running IPS versions older than 5.1-5-E1 (i.e. sensors using the nomenclature 'IPS-sig-S2XX-minreq-5.1-4') are no longer supported. The E1 Engine update for IPS Version 5.1(5) is available for download on Cisco.com. This release includes the E1 engine update package and the 5.1(5)E1 Service Pack and System/Recovery images which replace the 5.1(5) Service Pack and System/Recovery images. Also note, beginning with the S288 signature update, both IPS version 5.1 and a 6.0 sensors will utilize the same signature update package. As such, signature update files for both IPS 5.1 and 6.x will be posted to the following URLs: Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup Note: Beginning with S288, signature update files will no longer be posted to: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup. Engine updates are not supported on IPS versions 5.1(4) and older. Customers on IPS versions 5.1(4) and older must upgrade to 5.1(5)E1 to ensure full signature coverage. With the release of the E1 engine update, the IPS Signature nomenclature changes from IPS-sig-S2XX-minreq-5.1-4.pkg to IPS-sig-S2XX-req-E1.pkg to reflect the new Engine requirements (In this case, E1). For details regarding Cisco's End-of-Sale policy for signature updates, refer to the "End-of-Sale Policy for Signature File Release on Intrusion Detection and Prevention (IDS/IPS) Sensors" Product Bulletin available at the following URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd80358daa.html The 5.1(5) E1 engine update and associated service packs and system/recovery images can be downloaded from Cisco.com at the URLs listed below. You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site and have an active Cisco Service for IPS maintenance contract to request software upgrades from Cisco.com. Engine Update Files: Sensor (IPS-K9-engine-E1-req-5.1-5.pkg): http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/IPS MC (IPS-CS-MGR-engine-E1-req-5.1-5.zip): http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates Service Pack Files: Sensor (IPS-K9-5.1-5-E1.pkg or IPS-4260-K9-5.1-5-E1.pkg): http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/ IPS MC (IPS-CS-MGR-K9-5.1-5-E1.zip or IPS-CS-MGR-4260-K9-5.1-5-E1.zip): http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates System and Recovery Image Files: Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-asa-aip IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-cat6500-idsm2-sys NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-nm-image-files Additional Information: Customers on IPS 5.1(4) or older: - Upgrade to IPS 5.1(5)E1 using the 5.1(5)E1 Service Pack File - Begin using the engine style signature updates available on Cisco.com at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup Customers on IPS 5.1(5): - Install the E1 engine update - Begin using the engine style signature updates available on Cisco.com at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup Customers using VMS 2.3 w/IPS MC 2.2: - The Engine updates will require the customer to verify and/or install Service Pack 2 for the IPS MC 2.2. - The following link will take you to the Service Pack 2 download http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids Customers using CSM 3.0.1: - The Engine updates will require the customer to verify and/or install the IPS Patch. - The following link will take you to the IPS Patch: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app Customers using CSM 3.1: - No action required, engine updates are supported ANNOUNCING AVAILABILITY OF IPS VERSIONS 6.0(3)E1 & 5.1(7)E1 SERVICE PACKS The 6.0(3)E1 and 5.1(7)E1 Service Packs for Cisco IPS Version 6.0 and 5.1 sensors are now available for download. Note: System and recovery images are intended primarily for disaster recovery and should not be used to upgrade your sensor as all configuration settings will be lost. To upgrade your sensor and maintain configuration settings, the service pack files should be used. For installation instructions and details regarding the bug-fixes delivered in these service packs, refer to the readme files available at the URLs listed below. The 6.0(3)E1 and 5.1(7)E1 service pack, recovery image, and system image files can be downloaded from Cisco.com at the URLs listed below. You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site and have an active Cisco Service for IPS maintenance contract to request software upgrades from Cisco.com. 6.0(3)E1 Service Pack Files: Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6 CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates 6.0(3)E1 System and Recovery Image Files: Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-system ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-asa-aip IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-cat6500-idsm2-sys NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-nm-image-files 5.1(7)E1 Service Pack Files: Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates 5.1(7)E1 System and Recovery Image Files Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-asa-aip IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-cat6500-idsm2-sys NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-nm-image-files ======================================================================== IPS 5.1(5)E1 AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ------------------------------------------------------------------------ Note: Beginning with S288, signature updates have a minimum required version of 5.1(5)E1. You must be running IPS version 5.1(5)E1 or later to install signature update S313 or later. ------------------------------------------------------------------------ ---------------------------------------------------------------------- NOTE: All signature updates are cumulative. The S313 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S313-req-E1.pkg upgrade file can be applied to the following sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3660, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) The sensor must report the version of sensor as 5.1(5)E1 or later before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: This signature update may take a while to install depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the applicable Command Reference Guide located at the following urls: IPS Version 6.0: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/cmdref/crcmds.htm#wp458440 IPS Version 5.1: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cmdref/crcmds.htm#wp458440 ------------------------------------------------------------------------ WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the S313 signature update on a 5.1(5)E1 or later sensor: 1. Download the binary file IPS-sig-S313-req-E1.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S313-req-E1.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S313-req-E1.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S313 signature update and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ CAVEATS None. ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS You can only apply the IPS-CS-MGR-sig-S313-req-E1.zip signature update file to CSM 3.0 or later and IPS MC version 2.2 or later. ------------------------------------------------------------------------ Note: Beginning with S288, signature updates have a minimum required version of 5.1(5)E1. You must be running IPS version 5.1(5)E1 or later to install signature update S313 or later. ------------------------------------------------------------------------ INSTALLATION To install the version S313 signature update on CSM or IPS MC, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/etc/ids/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using IPS MC, follow the uninstallation instructions listed in the SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS None. ======================================================================== IPS 5.x EVENT VIEWER SUPPORT The IPS Event Viewer (IEV) Version 5.2(1) supports IPS 5.0 and later releases. IEV Version 5.2(1) can be downloaded from CCO at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev Refer to the readme for installation instructions. NOTE: Signature information is now dynamically retrieved from the sensor(s). It is no longer necessary to install a separate IEV signature update package for each new signature update. The following additional applications can be used for event monitoring: - IDS Security Monitor Version 2.1 or later - CLI - IDM - CS MARS For details on using CLI or IDM refer to the user documentation available at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/index.htm For more information on CS-MARS, visit: http://www.cisco.com/en/US/products/ps6241/index.html ======================================================================== S312 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6017.3 DirectShow SAMI Parsing Remote Code Execution META High True 6017.4 DirectShow SAMI Parsing Remote Code Execution STRING-TCP Info True 6017.5 DirectShow SAMI Parsing Remote Code Execution STRING-TCP Info True 6412.0 Malformed BGP Message ATOMIC-IP Medium True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 6030.0 Microsoft Windows Message Queuing Service Code Execution SERVICE-MSRPC High True CSCsl77366 Details: The regex was modified to increase fidelity. CAVEATS None. ======================================================================== S311 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6017.0 DirectShow SAMI Parsing Remote META High True Code Execution 6017.1 DirectShow SAMI Parsing Remote STRING-TCP Info True Code Execution 6017.2 DirectShow SAMI Parsing Remote STRING-TCP Info True Code Execution 6030.0 Microsoft Windows Message SERVICE-MSRPC High True Queuing Service Code Execution 6069.0 Windows Media Format Remote META High True Code Execution 6069.1 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.2 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.3 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.4 Windows Media Format Remote META High True Code Execution 6069.5 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.6 Windows Media Format Remote META High True Code Execution 6069.7 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.8 Windows Media Format Remote STRING-TCP Info True Code Execution 6403.0 IE Uninitialized Memory META High True Corruption 6403.1 IE Uninitialized Memory STRING-TCP Info True Corruption 6406.0 DirectShow WAV Parsing Remote STRING-TCP High True Code Execution 6408.0 IE DHTML Memory Corruption META High True 6408.1 IE DHTML Memory Corruption STRING-TCP Info True 6409.0 IE Invalid Object Memory META High True Corruption 6409.1 IE Invalid Object Memory STRING-TCP Info True Corruption 6409.2 IE Invalid Object Memory STRING-TCP Info True Corruption 6410.0 IE Unsafe Memory Operation META High True 6410.1 IE Unsafe Memory Operation STRING-TCP Info True 6410.2 IE Unsafe Memory Operation STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5928.0 CSA for Windows System Driver SERVICE- High True Remote Buffer Overflow SMB-ADVANCED Vulnerability CAVEATS None. ======================================================================== S310 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5915.0 Microsoft FoxPro ActiveX STRING-TCP High True Vulnerability 5928.0 CSA for Windows System SERVICE-SMB- High True Driver Remote Buffer ADVANCED Overflow Vulnerability 5985.0 Quicktime RTSP Content-Type STRING-TCP High True Excessive Length TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3115.0 Sendmail Data Header STATE High False Overflow Details: This signature was retired. CAVEATS None. ======================================================================== S309 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5478.0 Microsoft Exchange SMTP Overflow STRING-TCP High True CSCsl20094 Details: Signature regex has been modified to increase fidelity. 5478.1 Microsoft Exchange SMTP Overflow STRING-TCP High True CSCsl20094 Details: Signature regex has been modified to increase fidelity. 5684.2 Malformed SIP Packet ATOMIC-IP High True CSCsl01844 Details: Signature regex has been modified to increase fidelity. 5894.1 Storm Worm ATOMIC-IP High True Details: Signature regex and event counts were modified to increase fidelity. CAVEATS None. ======================================================================== S308 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5878.0 VBE Object ID Buffer Overflow STRING-TCP High True 5889.0 NeoTrace ActiveX Buffer STRING-TCP High True Overflow 5909.0 Browser Address Bar Spoofing STRING-TCP Medium True Attack 5916.0 URL Handler Vulnerability STRING-TCP High True 5919.0 Microsoft Kodak Image Viewer STRING-TCP High True Overflow The following signatures were modified via DDTS CSCsk71144 to be set to DISABLED and RETIRED: 5146.1,5146.2,5146.3, 5146.4, 5146.5,5146.6,5146.7, 5146.8,5146.9,5146.10,5146.11,5146.12,5146.13,5146.14,5146.15,5146.16,5146.17. The following signatures were modified to be set to DISABLED and RETIRED: 3254.0,3254.1,3347.0,5045.0,5047.0,5159.0, 5188.1,5188.3,5247.0,5364.0, 5406.0,5423.0,5425.0,5427.0,5432.0,5437.0,5441.0,5441.1,5453.0,5460.0,5461.0, 5462.0, 5545.0,5545.1,5554.0,5556.0,5610.0,5638.0,5678.0,5695.0,5722.0,5729.0, 5729.1, 5734.0, 5735.0, 5753.0, 5768.0, 5777.0, 12025.0, 12025.1, 12026.0 CAVEATS None. ======================================================================== S307 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5910.0 CUCM Centralized TFTP File Locator Service Buffer Overflow SERVICE-HTTP Medium True 5912.0 CUCM SIP INVITE UDP Denial of Service ATOMIC-IP Medium True 5913.0 PIX/ASA/FWSM MGCP DoS MULTI-STRING Medium True 5913.1 PIX/ASA/FWSM MGCP DoS MULTI-STRING Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S306 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6068.0 Cisco Wireless Control STRING-TCP Medium True System Administrative Default Password TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S305 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5809.0 DCERPC Authentication DoS META Medium True 5809.1 DCERPC Authentication DoS STRING-TCP Info True 5809.2 DCERPC Authentication DoS STRING-TCP Info True 5809.3 DCERPC Authentication DoS STRING-TCP Info True 5903.0 MS SharePoint XSS META Medium True 5903.1 MS SharePoint XSS SERVICE-HTTP Info True 5903.2 MS SharePoint XSS STRING-TCP Info True 5905.0 Microsoft Internet Explorer STRING-TCP Low True Address Bar Spoof 5905.1 Microsoft Internet Explorer STRING-TCP Low True Address Bar Spoof 5906.0 Microsoft Malformed Word STRING-TCP High True Document Code Execution 5908.0 NNTP Overflow META High True 5908.1 NNTP Overflow STRING-TCP Info True 5908.2 NNTP Overflow STRING-TCP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S304 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3337.0 Windows RPC Race Condition SERVICE-MSRPC High True CSCsk73541 Exploitation Details: The SFR for this signature was lowered to 80 and the opcode was set to 0. CAVEATS None. ======================================================================== S303 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5880.0 Sun Java Web Start JNLP File Stack Overflow STRING-TCP High True 5885.0 EnjoySAP kweditcontrol.kwedit Stack Overflow STRING-TCP High True 5902.0 AIM Message HTML Injection STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3337.0 Windows RPC Race Condition Exploitation SERVICE-MSRPC High True CSCsj62336 Details: alert-frequency set to fire-once and summary-key set to AxBx. 3531.0 Cisco IOS Telnet DoS SERVICE-GENERIC High True CSCsk45744 Details: sig-fidelity-rating set to 75 and sig-description updated. The following signatures were modified via DDTS CSCsk64356 to remove hidden ports: 5561-2, 5641-0, 5641-1, 5716-0, 5727-0, 5731-1, 5731-2, 5732-1, 5732-2, 5766-0 and 5775-1. The following signatures were modified via DDTS CSCsk50822 to remove hidden ports: 5861-0, 5861-1, 5863-1, 5863-2, 5864-0, 5888-0, 6130-1, 6130-2, 6130-4, 6130-7, 6130-8 and 6130-10. The following signatures were modified via DDTS CSCsk48393 to remove hidden ports: 5776-3, 5797-1, 5797-2, 5797-3, 5799-1, 5799-2, 5799-3, 5799-5, 5799-6, 5814-1, 5814-2, 5822-1 and 5822-2. The following signatures were modified via DDTS CSCsk65780 to remove hidden ports: 5830-0, 5831-0, 5835-0, 5835-1, 5835-3, 5835-4, 5835-6, 5835-7, 5839-0, 5857-1 and 5857-2. CAVEATS None. ======================================================================== S302 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5890.0 Long IMAP SUBSCRIBE Command STRING-TCP High True 5893.0 Cisco IP Phone Remote Denial of Service META Medium True 5893.1 Cisco IP Phone Remote Denial of Service ATOMIC-IP Info True 5893.2 Cisco IP Phone Remote Denial of Service ATOMIC-IP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S301 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5435.0 Crystal Reports Remote Code STRING-TCP High True Execution 5898.0 Microsoft Agent HTTP Code META High True Execution 5899.0 MSN Messenger Webcam Buffer ATOMIC-IP High True Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5773.0 Simple PHP Blog SERVICE-HTTP Low False Unauthorized File Access 5773.1 Simple PHP Blog SERVICE-HTTP Low False Unauthorized File Access 5806.0 Winny P2P Connection META Low False Activity 5806.1 Winny P2P Connection SERVICE-GENERIC Info False Activity 5806.2 Winny P2P Connection SERVICE-GENERIC Info False Activity 5806.3 Winny P2P Connection SERVICE-GENERIC Info False Activity 5828.0 Apache Server Side Cross SERVICE-HTTP Medium False Site Scripting 12001.0 Bonzi Buddy Spyware Beacon SERVICE-HTTP Low False 12002.0 SaveNow Ad Request SERVICE-HTTP Low False 12002.1 SaveNow Ad Request SERVICE-HTTP Low False 12003.0 Ezula Spyware SERVICE-HTTP Low False 12004.0 Cydoor Spyware SERVICE-HTTP Low False 12005.0 Hotbar Activity SERVICE-HTTP Low False 12005.1 Hotbar Activity SERVICE-HTTP Low False 12006.0 Linkgrabber99 Activity SERVICE-HTTP Low False 12008.0 180solutions Adware SERVICE-HTTP Low False 12009.0 MarketScore Activity SERVICE-HTTP Low False 12010.0 GAIN Adware Activity SERVICE-HTTP Low False 12011.0 TOPicks Activity SERVICE-HTTP Low False 12013.0 ISTbar Toolbar Activity SERVICE-HTTP Low False 12014.0 KeenValue Spyware SERVICE-HTTP Low False 12014.1 KeenValue Spyware SERVICE-HTTP Low False 12015.0 ShopAtHomeSelect Agent SERVICE-HTTP Low False Activity 12015.1 ShopAtHomeSelect Agent SERVICE-HTTP Low False Activity 12016.0 SearchRelevancy Spyware SERVICE-HTTP Low False 12017.0 TSA Activity SERVICE-HTTP Low False 12018.0 Toprebate Activity SERVICE-HTTP Low False 12019.0 SideFind Activity SERVICE-HTTP Low False 12020.0 WindUpdates Activity SERVICE-HTTP Low False 12021.0 Internet Optimizer Activity SERVICE-HTTP Low False 12023.0 DAP Activity SERVICE-HTTP Low False 12023.1 DAP Activity SERVICE-HTTP Low False 12024.0 New.net Activity SERVICE-HTTP Low False CAVEATS None. ======================================================================== S300 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5703.0 Video Surveillance IP STRING-TCP High True Gateway Encoder/Decoder Telnet Authentication Vulnerability 5816.1 TOR Client Activity MULTI-STRING Low True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5873.0 Microsoft Speech API 4 STRING-TCP High True CSCsk29135 ActiveX Overflow 5874.0 Microsoft Speech API 4 STRING-TCP High True CSCsk29135 ActiveX Overflow 5483.0 IE Content Advisor Buffer STRING-TCP High False Overflow 5490.0 Firefox JavaScript IFRAME STRING-TCP High False Exploitation 6011.0 Internet Explorer FTP STRING-TCP High False Command Injection 11210.0 AIM / ICQ Through HTTP SERVICE-HTTP Info False Proxy 11210.1 AIM / ICQ Through HTTP STRING-TCP Info False Proxy CAVEATS None. ======================================================================== S299 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5892.0 Motive Communications STRING-TCP High True ActiveUtils Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5810.0 SecureCRT SSH1 Buffer STRING-TCP High True CSCsk23856 Overflow Details: The Exact-match-offset parameter has been increased to increase fidelity. 5894.0 Storm Worm STRING-TCP High True CSCsk23846 Details: The regular expression of this signature has been modified to increase fidelity. CAVEATS None. ======================================================================== S298 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5894.0 Storm Worm STRING-TCP High True 5894.1 Storm Worm ATOMIC-IP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 1315.0 ACK w/o TCP Stream NORMALIZER Info True CSCsj18685 Details: sig-string-info spelling error corrected. 3123.0 NetBus Pro Traffic ATOMIC-IP Medium False Details: Signature set DISABLED and RETIRED. 5884.1 IOS NHRP Buffer Overflow SERVICE-GENERIC High True CSCsk08883 Details: The instruction set for this signature has been updated to increase its fidelity. CAVEATS None. ======================================================================== S297 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5683.0 Vista Feed Headlines Gadget Remote Code Execution META High True 5683.1 Vista Feed Headlines Gadget Remote Code Execution STRING-TCP Info True 5683.2 Vista Feed Headlines Gadget Remote Code Execution STRING-TCP Info True 5887.0 Microsoft PDWizard ActiveX Overflow STRING-TCP High True 5888.0 TLBINF32.DLL COM Object Instantiation STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3166.0 FTP USER Suspicious Length STRING-TCP High True CSCsk01172 Description: Signature regex has been modified to increase fidelity. 5561.0 Windows SMTP Overflow META High True CSCsk02763 Description: The meta-key has been modified to display victim address. 5727.0 Cisco VPN 3000 Concentrator HTTP Attack Vulnerability STRING-TCP High False Description: The signature has been set to DISABLED and RETIRED. CAVEATS ======================================================================== S296 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5884.1 IOS NHRP Buffer Overflow SERVICE-GENERIC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS ======================================================================== S295 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5684.0 Malformed SIP Packet ATOMIC-IP Medium True 5684.1 Malformed SIP Packet STRING-TCP Medium True 5684.2 Malformed SIP Packet ATOMIC-IP High True 5684.3 Malformed SIP Packet ATOMIC-IP Medium True 5684.4 Malformed SIP Packet STRING-TCP Medium True 5684.5 Malformed SIP Packet STRING-UDP Medium True 5684.6 Malformed SIP Packet ATOMIC-IP Medium True 5884.0 IOS NHRP Buffer Overflow SERVICE-GENERIC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS ======================================================================== S294 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES The S294 signature update contains the following modified signatures SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3527.0 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 3527.1 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 3527.2 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 3527.4 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 5474.0 SQL Query in HTTP Request SERVICE-HTTP Low True CSCsj41253 Description: Signature regex modified to enhance detection capabilities. 5769.0 Malformed HTTP Request STRING-TCP Medium True CSCsj82872 Description: Signature regex modified to increase fidelity. The following signatures were set DISABLED and RETIRED for 5.x and 6.x platforms: 3716.0 GDI+ JPEG Buffer Overflow 3716.1 GDI+ JPEG Buffer Overflow 4151.0 BOBAX Virus Activity 4151.1 BOBAX Virus Activity 5402.0 Internet Explorer URL Spoofing 5476.0 HTML Application Execution 5552.0 Windows Media Player Skin File Code Execution Vulnerability 5693.0 Metafile Buffer Overflow 5693.1 Metafile Buffer Overflow 5694.0 Enhanced Metafile Buffer Overflow ======================================================================== S293 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5877.0 IE Protocol Handler Command Execution STRING-TCP High True CAVEATS None. ======================================================================== S292 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5876.0 WinZip ActiveX Control Instantiation STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5408.0 Windows HCP URI Parsing STRING-TCP High False CSCsj42837 Script Exec Details: This signature is being retired to resolve ddts CSCsj42837 5408.1 Windows HCP URI Parsing STRING-TCP High False CSCsj42837 Script Exec Details: This signature is being retired to resolve ddts CSCsj42837 5418.0 IIS Cross Site STRING-TCP Low False CSCsj42837 Scripting .htw Details: This signature is being retired to resolve ddts CSCsj42837 5456.0 Internet Explorer 5 STRING-TCP Medium False CSCsj42837 ie5filex Exploit Details: This signature is being retired to resolve ddts CSCsj42837 5515.0 IE DHTML Edit Control STRING-TCP Low False CSCsj42837 Details: This signature is being retired to resolve ddts CSCsj42837 5551.0 Outlook Web Access Cross STRING-TCP High False CSCsj42837 Site Scripting Vulnerability Details: This signature is being retired to resolve ddts CSCsj42837 5557.0 Windows ICC Color Management STRING-TCP Info True CSCsj08650 Module Vulnerability Details: The parameters in signature 5557 subsigs 0-2 have been modified to increase fidelity. 5557.1 Windows ICC Color Management STRING-TCP Medium True CSCsj08650 Module Vulnerability Details: The parameters in signature 5557 subsigs 0-2 have been modified to increase fidelity. 5557.2 Windows ICC Color Management META High True CSCsj08650 Module Vulnerability Details: The parameters in signature 5557 subsigs 0-2 have been modified to increase fidelity. 5692.0 Macromedia Flash Overflow STRING-TCP High False CSCsj42837 Details: This signature is being retired to resolve ddts CSCsj42837 5868.0 IE Navigation Cancel Page STRING-TCP Medium True CSCsj37443 Spoofing Vulnerability Details: The regex of this signature has been modified to increase fidelity. 6253.0 POP3 Authorization Failure STRING-TCP Info True CSCsj37628 Details: The regex of this signature has been modified to increase fidelity. CAVEATS None. ======================================================================== S291 SIGNATURE UPDATE DETAILS TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5829.0 Invalid SSL Packet SERVICE-GENERIC Medium True CSCsi10673 Details: The intermediate instructions has been modified to increase fidelity. The signature name has changed. 5871.0 Urlmon.dll COM Object STRING-TCP High True CSCsj31189 Instantiation Details: The signature has been modified to increase fidelity. The signature name has changed. CAVEATS None. ======================================================================== S290 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5775.1 MHTML Redirection STRING-TCP Low True 5868.0 IE Navigation Cancel Page Spoofing Vulnerability STRING-TCP Medium True 5869.0 Internet Explorer CSS Tag Memory Corruption STRING-TCP High True 5870.0 Win32 API Vulnerability STRING-TCP High True 5871.0 License Manager ActiveX Control Instantiation STRING-TCP High True 5873.0 Microsoft Speech API 4 ActiveX Overflow STRING-TCP High True 5874.0 Microsoft Speech API 4 ActiveX Overflow STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3403.0 Telnet Excessive Environment Options STRING-TCP High False CSCsj21903 Details: The signature was disabled and retired. CAVEATS None. ======================================================================== S289 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3328.0 Windows SMB/RPC NoOp Sled STRING-TCP Medium True CSCsj06346 Details: The regex of this signature has been modified to improve signature fidelity. 5596.0 Windows SMB/RPC NoOp Sled SERVICE-SMB-ADVANCED Medium True CSCsj06346 Details: The regex of this signature has been modified to improve signature fidelity. 5751.0 Ultr@VNC Client Overflow STRING-TCP High True CSCsg34564 Details: The regex of this signature has been modified to improve signature fidelity. CAVEATS None. ======================================================================== S288 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5866.0 IBM Lotus Domino IMAP CRAM-MD5 Overflow STRING-TCP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S287 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5843.0 CA BrightStor Tape Engine Overflow SERVICE-MSRPC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S286 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5865.1 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True CSCsi84401 Details: The regex of this signature has been modified to improve signature fidelity. The following signatures have been retired to resolve CSCsi84693: SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5642.0 DirectShow Overflow STRING-TCP Info False CSCsi84693 5642.1 DirectShow Overflow STRING-TCP Info False CSCsi84693 5642.2 DirectShow Overflow STRING-TCP Medium False CSCsi84693 5642.3 DirectShow Overflow META High False CSCsi84693 6004.0 IOS HTTP Server Iframe Command Injection STRING-TCP High False CSCsi84693 CAVEATS None. ======================================================================== S285 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5860.0 IOS FTPd Successful Login META Low True 5860.1 IOS FTPd Successful Login STRING-TCP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S284 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5840.2 Internet Explorer CLSID Code Execution STRING-TCP High True 5862.0 Outlook Web Access UTF Character Script Execution MULTI-STRING High True 5863.0 Internet Explorer CAPICOM.Certificates Remote Code Execution META High True 5863.1 Internet Explorer CAPICOM.Certificates Remote Code Execution STRING-TCP Info True 5863.2 Internet Explorer CAPICOM.Certificates Remote Code Execution STRING-TCP Info True 5864.0 Exchange Server IMAP Literal Processing Vulnerability STRING-TCP Medium True 5865.0 Microsoft WMS Arbitrary File Rewrite Vulnerability META High True 5865.1 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True 5865.2 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5840.0 Internet Explorer CLSID Code Execution STRING-TCP High True CSCsi55663 Details: Regex was modified to increase fidelity. 5689.0 MSSQL Resolution Service ATOMIC-IP Medium True CSCsi74017 Keep-Alive DoS Details: To increase fidelity, udp-valid-length parameter for this signature has been modified from 2 to 2-30000. The following signatures have been retired to resolved CSCsi70742 : SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3161.0 FTP realpath Buffer Overflow STRING-TCP High False CSCsi70742 3161.1 FTP realpath Buffer Overflow STRING-TCP High False CSCsi70742 3235.0 showHelp CHM File Execution Weakness STRING-TCP High False CSCsi70742 3235.1 showHelp CHM File Execution Weakness STRING-TCP High False CSCsi70742 3252.0 Microsoft Agent ActiveX Control STRING-TCP Low False CSCsi70742 3340.0 Windows Shell External Handler STRING-TCP High False CSCsi70742 3346.0 Windows TSShutdn.exe Attempt STRING-TCP Info False CSCsi70742 3353.0 SMB Request Overflow STRING-TCP Medium False CSCsi70742 3353.1 SMB Request Overflow META High False CSCsi70742 3353.2 SMB Request Overflow META High False CSCsi70742 3409.0 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 3409.1 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 3409.2 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 5407.0 IIS PCT Overflow STRING-TCP High False CSCsi70742 5409.0 Microsoft HCP Remote Code Execution STRING-TCP High False CSCsi70742 5409.1 Microsoft HCP Remote Code Execution STRING-TCP High False CSCsi70742 5446.0 Internet Explorer Install Engine Overflow STRING-TCP High False CSCsi70742 5645.0 SSH URI Handler STRING-TCP Low False CSCsi70742 5730.0 Winamp Playlist File Handling Buffer Overflow STRING-TCP High False CSCsi70742 5774.0 Windows Media Player PNG Processing Remote Code Execution STRING-TCP High False CSCsi70742 5793.0 SMB Server Driver Remote Execution STRING-TCP High False CSCsi70742 5818.0 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.2 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.4 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.6 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.8 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.10 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 CAVEATS None. ======================================================================== S283 SIGNATURE UPDATE DETAILS NEW SIGNATURES PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED 5.x,6.x 5855.0 Helix Remote Code Execution STRING-TCP High True 5.x,6.x 5861.0 Cisco CNS Netflow Collection SERVIE-HTTP High True Engine Default Password 5.x,6.x 5861.1 Cisco CNS Netflow Collection STRING-TCP High True Engine Default Password TUNED SIGNATURES PLATFORM SIGID SIGNAME DDTS 5.x,6.x 5858.4 DNS Server RPC Interface Buffer Overflow CSCsi56228 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S282 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.1 DNS Server RPC Interface Buffer Overflow META High True 5858.2 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.3 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.4 DNS Server RPC Interface Buffer Overflow ATOMIC-IP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True CSCsi53171 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S281 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S280 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5851.0 WCS Administrative Directory Access SERVICE-HTTP Low True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S279 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5748.4 Non-SMTP Session Start STRING-TCP Info True 5748.5 Non-SMTP Session Start STRING-TCP Info True 5848.0 Content Management Service Cross-site Scripting SERVICE-HTTP High True 5849.0 Microsoft Content Management Server Vulnerability SERVICE-HTTP High True 5854.1 Cisco CUCM/CUPS Denial of Service Vulnerability STRING-TCP Medium True 5856.0 Agent URL Parsing Remote Code Execution META High True 5856.1 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5856.2 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5857.0 UPnP Memory Corruption Vulnerability META High True 5857.1 UPnP Memory Corruption Vulnerability STRING-TCP Info True 5857.2 UPnP Memory Corruption Vulnerability STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5606.0 SMB Authorization Failure SERVICE-SMB-ADVANCED Info True CSCsi28135 Details: Event count set to 3. 5748.0 Non-SMTP Session Start META Low True CSCsi13918 Details: Additional component signatures were added to increase signature fidelity. 5788.0 ICCP Invalid TPKT Protocol STRING-TCP Low False CSCsi41363 Details: Regex was modified for cross-platform support. 5846.0 FTP 230 Reply Code STRING-TCP Info True CSCsi30977 Details: Regex was modified to increase fidelity. CAVEATS None.