Cisco Intrusion Prevention System Signature Update S283 April 26, 2007 Copyright (C) 1999-2007 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== IMPORTANT NOTES - ENGINE UPDATES FOR IPS VERSION 5.1(5) - MINIMUM REQUIRED VERSIONS S283 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IPS 6.x SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS IPS 5.x SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - RESOLVED CAVEATS - CAVEATS CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS - INSTALLATION - UNINSTALLATION - CAVEATS IPS 5.x EVENT VIEWER SUPPORT S257-S282 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== IMPORTANT NOTES ENGINE UPDATES FOR IPS VERSION 5.1(5) The E1 Engine update for IPS Version 5.1 is now available for download on Cisco.com. This release includes the E1 engine update package and the 5.1(5)E1 Service Pack and System/Recovery images which replace the 5.1(5) Service Pack and System/Recovery images. Engine updates are not supported on IPS versions 5.1(4) and older. Customers on IPS versions 5.1(4) and older must upgrade to 5.1(5)E1 no later than May 1, 2007 to ensure full signature coverage. With the release of the E1 engine update, the IPS Signature nomenclature changes from IPS-sig-S2XX-minreq-5.1-4.pkg to IPS-sig-S2XX-req-E1.pkg to reflect the new Engine requirements (In this case, E1). Cisco will support the release of both signature update types until May 1, 2007. After May 1, 2007, only the newer engine-style signature updates will be released. Best effort will be made to provide advanced notification of planned Engine updates. However, in the event of an immediate need to respond to a new threat, we will post the Engine update without significant advanced notification. If you have any further questions regarding Engine updates, please reach out to your Cisco Account team. The 5.1(5) E1 engine update and associated service packs and system/recovery images can be downloaded from Cisco.com at the URLs listed below. You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site and have an active Cisco Service for IPS maintenance contract to request software upgrades from Cisco.com. Engine Update Files: Sensor (IPS-K9-engine-E1-req-5.1-5.pkg): http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/IPS MC (IPS-CS-MGR-engine-E1-req-5.1-5.zip): http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates Service Pack Files: Sensor (IPS-K9-5.1-5-E1.pkg or IPS-4260-K9-5.1-5-E1.pkg): http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/ IPS MC (IPS-CS-MGR-K9-5.1-5-E1.zip or IPS-CS-MGR-4260-K9-5.1-5-E1.zip): http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates System and Recovery Image Files: Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-asa-aip IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-cat6500-idsm2-sys NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-nm-image-files Signature Updates: Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup Additional Information: Customers on IPS 5.1(4) or older: - Upgrade to IPS 5.1(5)E1 no later than May 1, 2007 using the 5.1(5)E1 Service Pack File - Signature updates released after May 1, 2007 will not be supported on IPS 5.1.(4) - Upon upgrading to 5.1(5)E1, begin using the engine style signature updates available on Cisco.com at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup Customers on IPS 5.1(5): - Install the E1 engine update to ensure full signature coverage beyond May 1, 2007. - Begin using the engine style signature updates available on Cisco.com at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup Customers using VMS 2.3 w/IPS MC 2.2: - The Engine updates will require the customer to verify and/or install Service Pack 2 for the IPS MC 2.2. - The following link will take you to the Service Pack 2 download http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids Customers using CSM 3.0.1: - The Engine updates will require the customer to verify and/or install the IPS Patch. - The following link will take you to the IPS Patch: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app Customers using CSM 3.1: - No action required, engine updates are supported MINIMUM REQUIRED VERSIONS Beginning with S274, the minimum required IPS software version for signature updates is 5.1(4). Customers must upgrade to IPS software version 5.1(4) or later in order to install S274 and later signature updates. The next minimum required version change will be to IPS software version 5.1(5). This change will be implemented on or soon after May 1st, 2007. To ensure that you are able to install the latest signature updates, we strongly recommend that you upgrade your IPS sensors to version 5.1(5) prior to May 1st, 2007. For more detailed installation instructions and details regarding the bug-fixes delivered in these service packs, refer to the readme files available at the URLs listed below. The 5.1(x) service packs, recovery images, and system image files can be downloaded from Cisco.com at: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site and have an active Cisco Service for IPS maintenance contract to request software upgrades from Cisco.com. ======================================================================== S283 SIGNATURE UPDATE DETAILS NEW SIGNATURES PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED 5.x,6.x 5855.0 Helix Remote Code Execution STRING-TCP High True 5.x,6.x 5861.0 Cisco CNS Netflow Collection SERVIE-HTTP High True Engine Default Password 5.x,6.x 5861.1 Cisco CNS Netflow Collection STRING-TCP High True Engine Default Password TUNED SIGNATURES PLATFORM SIGID SIGNAME DDTS 5.x,6.x 5858.4 DNS Server RPC Interface Buffer Overflow CSCsi56228 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== IPS 6.x SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ---------------------------------------------------------------------- NOTE: All signature updates are cumulative. The S283 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S283-req-E1.pkg upgrade file can be applied to the following IPS version 6.x sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4210, IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3660, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) The sensor must report the version of sensor as 6.0(1)E1 before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: This signature update may take a while to install depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the Version 6.0 Command Reference Guide located at the following url: ------------------------------------------------------------------------ http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cmdref/crcmds.htm#wp458440 WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the version S283 signature update on a 6.x sensor: 1. Download the binary file IPS-sig-S283-req-E1.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S283-req-E1.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S283-req-E1.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S283 signature update on a 6.X sensor and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ CAVEATS None. ======================================================================== IPS 5.x SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ---------------------------------------------------------------------- NOTE: All signature updates are cumulative. The S283 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- With the release of the E1 Engine Update for IPS Version 5.1 (refer to ENGINE UPDATES FOR IPS VERSION 5.1(5) under IMPORTANT NOTES above), customers should upgrade to 5.1(5)E1 and begin installing the engine style signature updates no later than May 1, 2007 to ensure full signature coverage. Customers who have installed the E1 Engine Update for IPS 5.1 must use the IPS-sig-S283-req-E1.pkg signature update package available at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup Customers running sensor versions 5.1-4 and 5.1-5 (without E1) must use the IPS-sig-S283-minreq-5.1-4.pkg signature update package available at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup To determine the current sensor version, log in to CLI and type the following command at the prompt: show version The S283 signature update can be applied to version 5.x sensors as follows: You can only apply this signature update to IDS-4210, 4215, 4235, 4240, 4250, 4255 and 4260 series of IDS or IPS appliance sensors, the WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2), the NM-CIDS series Intrusion Detection Network Module, and the ASA-SSM-AIP-10 and ASA-SSM-AIP-20 series Cisco ASA Advanced Inspection and Prevention Security Service Modules. INSTALLATION ------------------------------------------------------------------------ Note: Beginning with S274, signature updates have a minimum required version of 5.1(4). You must be running IPS version 5.1(4) or later to install signature update S274 or later. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: This signature update may take a while to install depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the Version 5.1(1) Command Reference Guide located at the following url: ------------------------------------------------------------------------ http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cmdref/crcmds.htm#wp458440 WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the version S283 signature update on a 5.x sensor: 1. Download the appropriate binary file IPS-sig-S283-req-E1.pkg or IPS-sig-S283-minreq-5.1-4.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup, or http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/filename where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/filename The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S283 signature update on a 5.1 sensor and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ RESOLVED CAVEATS None. ------------------------------------------------------------------------ CAVEATS None. ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS You can only apply the IPS-CS-MGR-sig-S283-req-E1.zip or IPS-sig-S283-minreq-5.1-4.zip signature update file to CSM 3.0 or later and IPS MC version 2.2 or later. ------------------------------------------------------------------------ Note: Beginning with S274, signature updates now have a minimum required version of 5.1(4). You must be running IPS version 5.1(4) or later to install signature update S274 or later. ------------------------------------------------------------------------ INSTALLATION To install the version S283 signature update on CSM or IPS MC, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/etc/ids/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using IPS MC, follow the uninstallation instructions listed in the SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS None. ======================================================================== IPS 5.x EVENT VIEWER SUPPORT The IPS Event Viewer (IEV) Version 5.2(1) supports IPS 5.0 and later releases. IEV Version 5.2(1) can be downloaded from CCO at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev Refer to the readme for installation instructions. NOTE: Signature information is now dynamically retrieved from the sensor(s). It is no longer necessary to install a separate IEV signature update package for each new signature update. The following additional applications can be used for event monitoring: - IDS Security Monitor Version 2.1 or later - CLI - IDM - CS MARS For details on using CLI or IDM refer to the user documentation available at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/index.htm For more information on CS-MARS, visit: http://www.cisco.com/en/US/products/ps6241/index.html ======================================================================== S282 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.1 DNS Server RPC Interface Buffer Overflow META High True 5858.2 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.3 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.4 DNS Server RPC Interface Buffer Overflow ATOMIC-IP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True CSCsi53171 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S281 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S280 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5851.0 WCS Administrative Directory Access SERVICE-HTTP Low True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S279 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5748.4 Non-SMTP Session Start STRING-TCP Info True 5748.5 Non-SMTP Session Start STRING-TCP Info True 5848.0 Content Management Service Cross-site Scripting SERVICE-HTTP High True 5849.0 Microsoft Content Management Server Vulnerability SERVICE-HTTP High True 5854.1 Cisco CUCM/CUPS Denial of Service Vulnerability STRING-TCP Medium True 5856.0 Agent URL Parsing Remote Code Execution META High True 5856.1 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5856.2 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5857.0 UPnP Memory Corruption Vulnerability META High True 5857.1 UPnP Memory Corruption Vulnerability STRING-TCP Info True 5857.2 UPnP Memory Corruption Vulnerability STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5606.0 SMB Authorization Failure SERVICE-SMB-ADVANCED Info True CSCsi28135 Details: Event count set to 3. 5748.0 Non-SMTP Session Start META Low True CSCsi13918 Details: Additional component signatures were added to increase signature fidelity. 5788.0 ICCP Invalid TPKT Protocol STRING-TCP Low False CSCsi41363 Details: Regex was modified for cross-platform support. 5846.0 FTP 230 Reply Code STRING-TCP Info True CSCsi30977 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S278 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5854.0 Cisco CUCM/CUPS Denial of SERVICE-GENERIC Medium True Service Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5289.0 SQLXML ISAPI Buffer Overflow SERVICE-HTTP Info False CSCsh42737 Details: Retired set to true. 5788.0 ICCP Invalid TPKT Protocol STRING-TCP Low False CSCsi20456 Details: Regex and exact-match-offset modified to increase fidelity. 5837.0 Malformed TCP packet SERVICE-GENERIC Medium True CSCsi20479 Details: Intermediate instructions modified to increase performance. CAVEATS None. ======================================================================== S277 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5833.0 Quicktime RTSP URL Vulnerability STRING-TCP High True 5852.0 Word Malformed String Vulnerability STRING-TCP High True 5853.0 SIP Invite DoS ATOMIC-IP Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S276 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5840.1 Internet Explorer CLSID Code Execution STRING-TCP High True 5846.0 FTP 230 Reply Code STRING-TCP Info True 5847.0 FTP Successful Privileged Login META Low True 5847.1 FTP Successful Privileged Login META Low True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S275 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5850.0 Snort DCE/RPC Preprocessor Vulnerability ATOMIC-IP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. RESOLVED CAVEATS CSCsh96912 S274 can not be re-installed on 5.1(5) after uninstalled Symptom: After installing and then uninstalling S274 on a 5.1(5) sensor, S274 cannot be re-installed. Attempting to re-install S274 results in an error that S274 is already installed. Conditions: Install 5.1(5) Install S274 Uninstall S274 Attempt to re-install S274 and you get an error that S274 is already installed Workaround: Install the S275 or later signature update package. ======================================================================== S274 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5845.0 Word Memory Corruption Exploit STRING-TCP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS CSCsh96912 S274 can not be re-installed on 5.1(5) after uninstalled Symptom: After installing and then uninstalling S274 on a 5.1(5) sensor, S274 cannot be re-installed. Attempting to re-install S274 results in an error that S274 is already installed. Conditions: Install 5.1(5) Install S274 Uninstall S274 Attempt to re-install S274 and you get an error that S274 is already installed Workaround: None. ======================================================================== S273 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5838.0 IOS NAM SNMP Traffic SERVICE-SNMP High True 5841.0 CatOS NAM SNMP Traffic SERVICE-SNMP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S272 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 1207.0 IP Fragment Too Many Fragments in a Datagram NORMALIZER Info True CSCsh30507 1304.0 TCP Session Packet Queue Overflow NORMALIZER Info True CSCsh30857 1306.0 TCP Option Other NORMALIZER Low True CSCsh30928 1306.1 TCP SACK Allowed Option NORMALIZER Info False CSCsh30928 1306.2 TCP SACK Data Option NORMALIZER Info False CSCsh30928 1306.3 TCP Timestamp Option NORMALIZER Info False CSCsh30928 1306.4 TCP Window Scale Option NORMALIZER Info False CSCsh30928 1306.5 TCP MSS Option NORMALIZER Info False CSCsh30928 1314.0 TCP SYN Packet With Data NORMALIZER Info False CSCsh31004 1330.3 TCP Drop - Bad Option List NORMALIZER Info False CSCsh32196 1330.4 TCP Drop - Bad Option Length NORMALIZER Info True CSCsh32210 1330.11 TCP Drop - Timestamp Not Allowed NORMALIZER Info False CSCsh32256 1330.13 TCP Drop - Invalid TCP Packet NORMALIZER Info False CSCsh32275 The following signature's promiscuous delta was modified in S272 due to CSCsh84209: 3307-0, 3327-11, 3334-3, 3334-4, 3334-8, 3338-1, 3353-1, 3353-2, 5416-1, 5496-0, 5498-0, 5556-1, 5556-3, 5556-4, 5557-2, 5561-0, 5565-2, 5567-5, 5567-6, 5567-7, 5567-8, 5572-1, 5572-2, 5609-1, 5609-2, 5635-2, 5641-2, 5642-3, 5644-3, 5731-0, 5732-0, 5738-3, 5738-4, 5747-0, 5748-0, 5759-3, 5776-0, 5776-4, 5794-0, 5797-0, 5799-4, 5799-7, 5804-0, 5805-0, 5806-0, 5813-0, 5814-0, 5815-0, 5821-0, 5822-0, 5827-0, 5835-2, 5835-5, 6110-0, 6110-1, 6111-0, 6111-1, 6112-0, 6112-1, 6113-0, 6113-1, 6114-0, 6114-1, 6115-0, 6115-1, 6116-0, 6116-1, 6117-0, 6117-1, 6118-0, 6118-1, 6130-3, 6130-5, 6130-9, 6130-11, 6131-2, 6131-5, 6131-7 CAVEATS None. ======================================================================== S271 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5824.0 HTTP Header DoS STRING-TCP Medium True 5825.0 SIP Malformed Invite Packet ATOMIC-IP Medium True 5837.0 Malformed TCP Packet SERVICE-GENERIC Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS The IPS-sig-S271-req-E1.pkg signature update file can only be applied to IPS Version 6.0(1)E1 and later sensors. The IPS-sig-S271-minreq-5.1-2.pkg signature update file can only be applied to IPS version 5.1(2), 5.1(3), and 5.1(4) sensors. Do not attempt to install the 6.0 update file on a 5.1 sensor or attempt to install the 5.1 update file on a 6.0 sensor as the update will fail. ======================================================================== S270 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5814.0 Step-by-Step Interactive Training Remote Code Execution META High True 5814.1 Step-by-Step Interactive Training Remote Code Execution STRING-TCP Informational True 5814.2 Step-by-Step Interactive Training Remote Code Execution STRING-TCP Informational True 5839.0 Internet Explorer FTP Server Response Code Execution STRING-TCP High True 5840.0 Internet Explorer CLSID Code Execution STRING-TCP High True ======================================================================== S269 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5842.0 Solaris Telnet Authentication Bypass STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3409.0 Telnet Over Non-standard Ports STRING-TCP Info False CSCsh45954 3409.1 Telnet Over Non-standard Ports STRING-TCP Info False CSCsh45954 5503.0 Object Creation In IE Local Zone STRING-TCP Info True CSCsh72991 5831.0 Cisco Secure Access Control Server RADIUS Accounting Request Vulnerability ATOMIC-IP High True CSCsh71753 ======================================================================== S268 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5820.0 Symantec AntiVirus and Client Security Buffer Overflow STRING-TCP High True 5835.0 Cisco IOS SIP DoS Vulnerability ATOMIC-IP Medium True 5835.1 Cisco IOS SIP DoS Vulnerability ATOMIC-IP Medium True 5835.2 Cisco IOS SIP DoS Vulnerability META Medium True 5835.3 Cisco IOS SIP DoS Vulnerability ATOMIC-IP Info True 5835.4 Cisco IOS SIP DoS Vulnerability ATOMIC-IP Info True 5835.5 Cisco IOS SIP DoS Vulnerability META Medium True 5835.6 Cisco IOS SIP DoS Vulnerability ATOMIC-IP Info True 5835.7 Cisco IOS SIP DoS Vulnerability ATOMIC-IP Info True TUNED SIGNATURES Meta component information was added to the meta signatures and their components to improve referencing. This change is documented as CSCsh25730. CAVEATS The IPS-sig-S268-req-E1.pkg Signature Update and all following signature updates can only be applied to IPS Version 6.0(1)E1 and later sensors. ======================================================================== S267 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5832.0 IOS Crafted IP Option Vulnerability SERVICE-GENERIC High True 5832.1 IOS Crafted IP Option Vulnerability SERVICE-GENERIC High True 5832.2 IOS Crafted IP Option Vulnerability SERVICE-GENERIC High True 5832.3 IOS Crafted IP Option Vulnerability SERVICE-GENERIC High True TUNED SIGNATURES There are no tuned signatures for this release. WARNING: This signature update contains a workaround for DDTS CSCsh52564 (Specific Service Generic Advanced Signature does not fire until restart) by restarting the AnalysisEngine process once the signature update installs. The restart may take up to 30 minutes or longer depending on the sensor model and traffic levels. During this time, the sensor will not be analyzing traffic and will go into by-pass if configured for inline mode. DO NOT reboot the sensor during this time as the sensor may be left in an unknown state requiring it to be reimaged. To determine when the update is complete and the sensor is analyzing traffic, log into the sensor CLI and run the following command: # show stat virtual-sensor The sensor will report the following error if the signature update is not yet complete: "Error: getVirtualSensorStatistics : Analysis Engine is busy rebuilding regex tables. This may take a while." When the sensor reports the virtual sensor statistics, the update is complete and the sensor is analyzing traffic. CAVEATS 1. This signature update contains a workaround for DDTS CSCsh52564 by restarting the sensorApp process after the signature update. See Warning above for more details. 2. The IPS-sig-S267-req-E1.pkg signature update file can only be applied to IPS Version 6.0(1)E1 and later sensors. The IPS-sig-S267-minreq-5.1-2.pkg signature update file can only be applied to IPS version 5.1(2), 5.1(3), and 5.1(4) sensors. Do not attempt to install the 6.0 update file on a 5.1 sensor or attempt to install the 5.1 update file on a 6.0 sensor as the update will fail. 3. CSCsh31999 Signature Update Fails with Custom Signatures in Unsupported Engines Symptom: A 6.0 signature update will not apply if a custom signature exists in any of the following engines: service ftp traffic icmp trojan bo2k trojan tfn2k trojan udp aic ftp Conditions: n/a Workaround: Remove custom signatures in these engines before upgrading to 6.0. If you upgraded to 6.0 without removing custom signatures in these engines you must remove them from the /usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml file manually using the service account. ======================================================================== S266 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5733.0 Long HTTP Header Hostname STRING-TCP Low True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3342.0 Windows NetDDE Overflow SERVICE-SMB High True CSCeg68278 3793.0 ZENworks 6.5 Authentication Overflow STRING-TCP High True CSCsh20048 5123.0 WWW IIS Internet Printing Overflow SERVICE-HTTP High False CSCsd38534 CAVEATS 1. The IPS-sig-S266-req-E1.pkg signature update file can only be applied to IPS Version 6.0(1)E1 and later sensors. The IPS-sig-S266-minreq-5.1-2.pkg signature update file can only be applied to IPS version 5.1(2), 5.1(3), and 5.1(4) sensors. Do not attempt to install the 6.0 update file on a 5.1 sensor or attempt to install the 5.1 update file on a 6.0 sensor as the update will fail. 2. CSCsh31999 Signature Update Fails with Custom Signatures in Unsupported Engines Symptom: A 6.0 signature update will not apply if a custom signature exists in any of the following engines: service ftp traffic icmp trojan bo2k trojan tfn2k trojan udp aic ftp Conditions: n/a Workaround: Remove custom signatures in these engines before upgrading to 6.0. If you upgraded to 6.0 without removing custom signatures in these engines you must remove them from the /usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml file manually using the service account. ======================================================================== S265 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5830.0 Cisco Secure Access Control Server HTTP Request Overflow SERVICE-HTTP High True 5831.0 Cisco Secure Access Control Server RADIUS Accounting Request Vulnerability ATOMIC-IP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS The IPS-sig-S265-req-E1.pkg Signature Update and all following signature updates can only be applied to IPS Version 6.0(1)E1 and later sensors. CSCsh31999 Signature Update Fails with Custom Signatures in Unsupported Engines Symptom: A 6.0 signature update will not apply if a custom signature exists in any of the following engines: service ftp traffic icmp trojan bo2k trojan tfn2k trojan udp aic ftp Conditions: n/a Workaround: Remove custom signatures in these engines before upgrading to 6.0. If you upgraded to 6.0 without removing custom signatures in these engines you must remove them from the /usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml file manually using the service account. ======================================================================== S264 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5826.0 EIQ ESA Topology Delete Device Overflow STRING-TCP High True 5828.0 Apache Server Side Cross Site Scripting SERVICE-HTTP Medium False TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5578.0 SMB 95/98 Password File Access SERVICE-SMB-ADVANCED Info True CSCsh22313 5579.0 SMB Remote Registry Access Attempt SERVICE-SMB-ADVANCED Info True CSCsh22313 5579.1 SMB Remote Registry Access Attempt SERVICE-SMB-ADVANCED Medium True CSCsh22313 5580.0 SMB Remote Lsarpc Service Access Attempt SERVICE-SMB-ADVANCED Info True CSCsh22313 5581.0 SMB Remote Srvsvc Service Access Attempt SERVICE-SMB-ADVANCED Info True CSCsh22313 5585.0 SMB Suspicious Password Usage SERVICE-SMB-ADVANCED Medium True CSCsh22313 5598.0 Windows Workstation Service Overflow SERVICE-SMB-ADVANCED High True CSCsh22313 CAVEATS Due to the larger size of the signature update package, installation time may be significantly longer than normal. Ensure that you allow the installation to complete before rebooting or powering down the sensor. Failure to allow the installation to complete may result in a need to re-image the sensor restoring it to it's default settings in which case your configuration settings will be lost. CSCsh31999 Signature Update Fails with Custom Signatures in Unsupported Engines Symptom: A 6.0 signature update will not apply if a custom signature exists in any of the following engines: service ftp traffic icmp trojan bo2k trojan tfn2k trojan udp aic ftp Conditions: n/a Workaround: Remove custom signatures in these engines before upgrading to 6.0. If you upgraded to 6.0 without removing custom signatures in these engines you must remove them from the /usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml file manually using the service account. CSCsh12977 Creation/cloning of a customer created AD signature should not be allowed. Symptom: If a user tried to create or clone a 'traffic-anomaly' signature, the system may behave erratically. Ideally, the system would block this kind of invalid configuration, but it does not do so in this release. Conditions: There is no reason to create custom or cloned traffic-anomaly signature because they have no input or output effect. All traffic-anomaly (aka Anomaly Detection) signature are pre-fabricated between the range of 13000-13008, and every other entry will be ignored. Workaround: 1) restore signature definitions to default 2) if that is problematic, reimage the sensor. CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ======================================================================== S263 SIGNATURE UPDATE DETAILS NEW FEATURES As of the S262 signature update a new SMB Advanced Engine has been added. It allows more accurate and granular detection aiding in the protection of your network. Several SMB Advanced sigantures are included that obsolete the corresponding SMB engine signatures. The older signatures will be automatically disabled by their SMB Advanced counterparts. The S262 Signature Update details section indicates which items are obsoleted. NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5829.0 Microsoft SSL DoS SERVICE-GENERIC Medium True TUNED SIGNATURES There are no tuned signatures for this release. NOTE: Two new fields (Vulnerable OS and MARS category) were added to all signatures as part of the S262 signature update. These fields will be utilized in the forthcoming IPS Version 6.0 and later releases. These fields will be visible in the 5.1 signature tunings. ------------------------------------------------------------------------ RESOLVED CAVEATS CSCsh18082 Typedef incompatibilities in S262 result in upgrade failure. Symptom: Upgrade using S262 signature update fails with "Cannot parse the current config for the component "signatureDefinition" and the instance sig0" error and the sensor is returned to it's previous state Conditions: Certain sig tunings in the following engines trigger the upgrade failure: service-h225 service-msrpc service-rpc service-dns service-generic atomic-ip flood.host service.snmp string.icmp sweep Workaround: Upgrade to S263 (or later sig update) upon it's release. Do not re-attempt to install S262. Further Problem Description: Incompatibilities contained in the new typedefs delivered in the S262 sig update package prevent a small number of signatures defined in older typedefs (pre-S262) from functioning. ------------------------------------------------------------------------ CAVEATS Due to the larger size of the signature update package, installation time may be significantly longer than normal. Ensure that you allow the installation to complete before rebooting or powering down the sensor. Failure to allow the installation to complete may result in a need to re-image the sensor restoring it to it's default settings in which case your configuration settings will be lost. CSCsh12977 Creation/cloning of a customer created AD signature should not be allowed. Symptom: If a user tried to create or clone a 'traffic-anomaly' signature, the system may behave erratically. Ideally, the system would block this kind of invalid configuration, but it does not do so in this release. Conditions: There is no reason to create custom or cloned traffic-anomaly signature because they have no input or output effect. All traffic-anomaly (aka Anomaly Detection) signature are pre-fabricated between the range of 13000-13008, and every other entry will be ignored. Workaround: 1) restore signature definitions to default 2) if that is problematic, reimage the sensor. CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ======================================================================== S262 SIGNATURE UPDATE DETAILS NEW FEATURES As of the S262 signature update a new SMB Advanced Engine has been added. It allows more accurate and granular detection aiding in the protection of your network. Several SMB Advanced sigantures are included that obsolete the corresponding SMB engine signatures. The older signatures will be automatically disabled by their SMB Advanced counterparts. The S262 Signature Update details section indicates which items are obsoleted. NEW SIGNATURES SIGID SIGNAME ENGINE SEV ENABLED OBSOLETES 1315.0 ACK w/o TCP Stream NORMALIZER Info True 1316.0 FIN or RST w/o TCP Stream NORMALIZER Info False 5586.0 Windows Locator Service Overflow SERVICE-SMB-ADVANCED High True 3314-0 3314-1 3314-2 5598.1 Windows Workstation Service Overflow SERVICE-SMB-ADVANCED High True 7000.0 Data Base TNS Connection SERVICE-TNS Info True 7001.0 TNS Redirect Request SERVICE-TNS Info True 5575.0 NBT NetBIOS Session Service Failed Login SERVICE-SMB-ADVANCED Info True 3302-0 5576.0 SMB Login successful with Guest Privileges SERVICE-SMB-ADVANCED Info True 3303-0 5577.0 SMB NULL login attempt SERVICE-SMB-ADVANCED Info True 3304-0 5578.0 SMB 95/98 Password File Access SERVICE-SMB-ADVANCED Info True 3305-0 5579.0 SMB Remote Registry Access Attempt SERVICE-SMB-ADVANCED Info True 3306-0 5579.1 SMB Remote Registry Access Attempt SERVICE-SMB-ADVANCED Med True 5580.0 SMB Remote Lsarpc Service Access Attempt SERVICE-SMB-ADVANCED Info True 3308-0 5581.0 SMB Remote Srvsvc Service Access Attempt SERVICE-SMB-ADVANCED Info True 3309-0 5582.0 NetBIOS Enum Share DoS SERVICE-SMB-ADVANCED High True 5583.0 SMB Remote SAM Service Access Attempt SERVICE-SMB-ADVANCED Info True 3310-0 5584.0 SMB .eml email file remote access SERVICE-SMB-ADVANCED Info True 3312-0 5585.0 SMB Suspicious Password Usage SERVICE-SMB-ADVANCED Med True 3313-0 5587.0 Microsoft Windows 9x NetBIOS NULL Name Vulnerability SERVICE-SMB-ADVANCED High True 3315-0 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True 3327-1 3327-2 3327-3 3327-5 3327-6 5589.0 SMB: ADMIN$ Hidden Share Access Attempt SERVICE-SMB-ADVANCED Low True 3320-0 5590.0 SMB: User Enumeration SERVICE-SMB-ADVANCED Info True 3321-0 5590.1 SMB: User Enumeration SERVICE-SMB-ADVANCED Info True 5591.0 SMB: Windows Share Enumeration SERVICE-SMB-ADVANCED Info True 3322-0 5591.1 SMB: Windows Share Enumeration SERVICE-SMB-ADVANCED Info True 5592.0 SMB: RFPoison Attack SERVICE-SMB-ADVANCED High True 3323-0 5593.0 SMB NIMDA Infected File Transfer SERVICE-SMB-ADVANCED High True 3324-0 5594.0 Samba call_trans2open Overflow SERVICE-SMB-ADVANCED High True 3325-0 5595.0 Windows Startup Folder Remote Access SERVICE-SMB-ADVANCED Med True 3326-0 5596.0 Windows SMB/RPC NoOp Sled SERVICE-SMB-ADVANCED Med True 3328-0 5597.0 SMB MSRPC Messenger Overflow SERVICE-SMB-ADVANCED High True 3333-0 5598.0 Windows Workstation Service Overflow SERVICE-SMB-ADVANCED High True 3334-0 3334-2 3334-3 5599.0 Anig Worm File Transfer SERVICE-SMB-ADVANCED High True 3335-0 5600.0 Windows ASN.1 Bit String NTLMv2 Integer Overflow SERVICE-SMB-ADVANCED High True 3336-0 5601.0 Windows LSASS RPC Overflow SERVICE-MSRPC High True 3338-0 3338-1 3338-2 3338-3 5602.0 Windows System32 Directory File Creation SERVICE-SMB-ADVANCED Med True 3339-0 5603.0 MSRPC Protocol violation SERVICE-SMB-ADVANCED Med True 5605.0 Windows Account Locked SERVICE-SMB-ADVANCED Info True 3343-0 5606.0 SMB Authorization Failure SERVICE-SMB-ADVANCED Info True 6255-0 TUNED SIGNATURES There are no tuned signatures for this release. RESOLVED CAVEATS The following bugs have been resolved in this release. You can view more details regarding these resolved caveats using the bugtool available at the following url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Identifier Headline CSCsg46351 TCP Sessions may hang when signature updates are applied. CSCsg61492 Sensor memory leak in sensorApp process. CSCsg24817 sensorApp aborts in InspectorServiceRpc::processDecodeTCPMessage CSCsg18926 Same default values of summary-threshold for both regular and global. CSCsg56984 sensorApp InspectorAtomic regex abort. CSCsg00118 Signature 3702-0 does not alert with password field in TDS Login packet. CSCse69864 deny-attacker-service-pair-inline missing from the Event Action. CSCsg25572 SNMP SET with Zero-length string should not fire Sig 4507(36). CSCsg10839 Sig 3401 1 stops firing after couple of tunings. CAVEATS CSCsh12977 Creation/cloning of a customer created AD signature should not be allowed. Symptom: If a user tried to create or clone a 'traffic-anomaly' signature, the system may behave erratically. Ideally, the system would block this kind of invalid configuration, but it does not do so in this release. Conditions: There is no reason to create custom or cloned traffic-anomaly signature because they have no input or output effect. All traffic-anomaly (aka Anomaly Detection) signature are pre-fabricated between the range of 13000-13008, and every other entry will be ignored. Workaround: 1) restore signature definitions to default 2) if that is problematic, reimage the sensor. CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ======================================================================== S261 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5474.1 SQL Query in HTTP Request SERVICE-HTTP Low True 5827.0 Internet Explorer ActiveX Control Arbitrary Code Execution META High True 5827.1 Internet Explorer ActiveX Control Arbitrary Code Execution STRING-TCP Info True 5827.2 Internet Explorer ActiveX Control Arbitrary Code Execution STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5764.0 ShixxNOTE Font Buffer Overflow STRING-TCP High True CSCsg88936 CAVEATS CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ======================================================================== S260 SIGNATURE UPDATE DETAILS NEW FEATURES There are no new features in this update. NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3255.0 Apache Long HTTP Header DoS SERVICE-HTTP Medium False 5801.1 Quicktime JPEG Code Execution Overflow MULTI-STRING High True 5823.0 McAfee Epolicy Overflow SERVICE-HTTP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3137.5 Sober Virus Activity STRING-TCP High True CSCsg80416 3325.0 Samba call_trans2open Overflow STRING-TCP High False CSCsg82656 3786.0 Oracle 9i XDB FTP PASS Buffer Overflow STRING-TCP High True CSCsg80416 5170.1 Null Byte In HTTP Request SERVICE-HTTP Low True CSCsg78818 5477.1 Possible Heap Payload Construction STRING-TCP Low True CSCsg80416 5534.0 KaZaA UDP Client Probe ATOMIC-IP Low True CSCsg48394 5534.1 KaZaA UDP Client Probe ATOMIC-IP Low True CSCsg48394 5534.2 KaZaA UDP Client Probe ATOMIC-IP Low False CSCsg48394 5666.0 Unix chetcpasswd.cgi File Disclosure Vulnerability SERVICE-HTTP Low False CSCsg80416 5801.0 Quicktime JPEG Code Execution Overflow STRING-TCP High False CSCsg57313 9546.2 Back Door CGi BioNet STRING-TCP High False CSCsg80416 11236.0 MSN File Transfer Proposal Received STRING-TCP Info False CSCsg80416 RESOLVED CAVEATS None. CAVEATS CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ======================================================================== S259 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5821.0 DirectAnimation ActiveX Memory Corruption META High True 5821.1 DirectAnimation ActiveX Memory Corruption STRING-TCP Info True 5821.2 DirectAnimation ActiveX Memory Corruption STRING-TCP Info True 5822.0 Workstation Service Memory Corruption Vulnerability META High True 5822.1 Workstation Service Memory Corruption Vulnerability STRING-TCP Info True 5822.2 Workstation Service Memory Corruption Vulnerability STRING-TCP Info True TUNED SIGNATURES There are no tuned signatures for this release. RESOLVED CAVEATS none CAVEATS CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ======================================================================== S258 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5.x 3143.0 BERBEW Trojan Activity STRING-TCP High True CSCsg58659 5.x 3537.0 MailEnable HTTP Authorization Buffer Overflow STRING-TCP High False CSCsg58659 5.x 3703.0 Squid FTP URL Buffer Overflow STRING-TCP High False CSCsg60368 5.x 3737.0 Squid Proxy NTLM Authenticate Overflow STRING-TCP High True CSCsg58659 5.x 5365.0 Long WebDAV Request STRING-TCP High True CSCsg58659 5.x 5375.0 Apache mod_dav Overflow STRING-TCP High False CSCsg60368 5.x 5379.0 Windows Media Services Logging ISAPI Overflow STRING-TCP High False CSCsg58659 5.x 5410.0 APSIS Pound Remote Format String Overflow STRING-TCP High True CSCsg58659 5.x 5477.2 Possible Heap Payload Construction STRING-TCP High True CSCsg66560 5.x 5488.0 Icecast Server HTTP Header Buffer Overflow STRING-TCP High True CSCsg58659 5.x 5727.0 Cisco VPN 3000 Concentrator HTTP Attack Vulnerability STRING-TCP High True CSCsg58659 5.x 11210.1 AIM / ICQ Through HTTP Proxy STRING-TCP Info False CSCsg58659 5.x 11233.0 SSH Over Non-standard Ports STRING-TCP Info False CSCsg58659 5.x 11233.1 SSH Over Non-standard Ports STRING-TCP Info False CSCsg58659 RESOLVED CAVEATS none. CAVEATS CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ======================================================================== S257 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5810.0 SecureCRT SSH1 Buffer Overflow STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3334.0 Windows Workstation Service Overflow SERVICE-SMB Info True CSCsg02770 3334.1 Windows Workstation Service Overflow SERVICE-SMB Info True CSCsg02770 Refer to CSCsg59503 for additional signature tunings in this Signature Update. RESOLVED CAVEATS CSCsg59503 Unretire atomic IP signatures for S257. Symptom: The following list of signatures were originally retired in S256, but are unretired in S257 due to a flaw that may cause the sensor to abort when retired atomic IP signatures are enabled and tuned. 3327-5, 5648-0, 5739-0, 3327-2, 3143-3, 3143-4, 3357-0, 4068-0, 4602-3, 4602-4, 4607-6, 4607-7, 4607-8, 4607-9, 4609-1, 4612-1, 4615-2, 4615-3, 5177-1, 9583-0, 9580-0, 5506-0, 5506-1, 5507-0, 5509-0, 5510-0, 5518-0, 5529-3, 5529-2, 5529-1, 5529-0, 5532-0, 5533-0, 5544-0, 5546-0, 5679-0, 5681-0, 6067-0, 9418-1, 6203-1, 6508-2, 9430-1, 9433-1, 9401-2, 9403-2, 9412-1 Workaround: Upgrade to signature update S257 or later. Further Problem Description: This fix provides a workaround for CSCsg56984 CAVEATS CSCsg56984 sensorApp InspectorAtomic regex abort Symptom: The sensorApp process aborts after applying S256 signature update. It may also abort after tuning ATOMIC IP signatures containing a regex string, to both Enabled and Retired. Workaround: All ATOMIC signatures that are Enabled, should also be Active (not retired). This will prevent the issue from occurring. Reboot the sensor. After a reboot following the abort, the symptom no longer occurs. Also see Installation Caveats below. ========================================================================