Cisco Intrusion Prevention System Signature Update S293 July 10, 2007 Copyright (C) 1999-2007 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== S293 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IMPORTANT NOTES - MINIMUM REQUIRED VERSION IS NOW 5.1-5-E1 - ANNOUNCING AVAILABILITY OF IPS VERSIONS 6.0(3)E1 & 5.1(6)E1 SERVICE PACKS IPS 5.1(5)E1 AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS - INSTALLATION - UNINSTALLATION - CAVEATS IPS 5.x EVENT VIEWER SUPPORT S257-S291 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== S293 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5877.0 IE Protocol Handler Command Execution STRING-TCP High True CAVEATS None. ======================================================================== IMPORTANT NOTES MINIMUM REQUIRED VERSION IS NOW 5.1-5-E1 Beginning with S288, customers must be running IPS version 5.1-5-E1 or later to install signature updates. Signature updates on sensors running IPS versions older than 5.1-5-E1 (i.e. sensors using the nomenclature 'IPS-sig-S2XX-minreq-5.1-4') are no longer supported. The E1 Engine update for IPS Version 5.1(5) is available for download on Cisco.com. This release includes the E1 engine update package and the 5.1(5)E1 Service Pack and System/Recovery images which replace the 5.1(5) Service Pack and System/Recovery images. Also note, beginning with the S288 signature update, both IPS version 5.1 and a 6.0 sensors will utilize the same signature update package. As such, signature update files for both IPS 5.1 and 6.x will be posted to the following URLs: Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup Note: Beginning with S288, signature update files will no longer be posted to: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup. Engine updates are not supported on IPS versions 5.1(4) and older. Customers on IPS versions 5.1(4) and older must upgrade to 5.1(5)E1 to ensure full signature coverage. With the release of the E1 engine update, the IPS Signature nomenclature changes from IPS-sig-S2XX-minreq-5.1-4.pkg to IPS-sig-S2XX-req-E1.pkg to reflect the new Engine requirements (In this case, E1). For details regarding Cisco's End-of-Sale policy for signature updates, refer to the "End-of-Sale Policy for Signature File Release on Intrusion Detection and Prevention (IDS/IPS) Sensors" Product Bulletin available at the following URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd80358daa.html The 5.1(5) E1 engine update and associated service packs and system/recovery images can be downloaded from Cisco.com at the URLs listed below. You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site and have an active Cisco Service for IPS maintenance contract to request software upgrades from Cisco.com. Engine Update Files: Sensor (IPS-K9-engine-E1-req-5.1-5.pkg): http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/IPS MC (IPS-CS-MGR-engine-E1-req-5.1-5.zip): http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates Service Pack Files: Sensor (IPS-K9-5.1-5-E1.pkg or IPS-4260-K9-5.1-5-E1.pkg): http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/ IPS MC (IPS-CS-MGR-K9-5.1-5-E1.zip or IPS-CS-MGR-4260-K9-5.1-5-E1.zip): http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates System and Recovery Image Files: Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-asa-aip IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-cat6500-idsm2-sys NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-nm-image-files Additional Information: Customers on IPS 5.1(4) or older: - Upgrade to IPS 5.1(5)E1 using the 5.1(5)E1 Service Pack File - Begin using the engine style signature updates available on Cisco.com at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup Customers on IPS 5.1(5): - Install the E1 engine update - Begin using the engine style signature updates available on Cisco.com at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup Customers using VMS 2.3 w/IPS MC 2.2: - The Engine updates will require the customer to verify and/or install Service Pack 2 for the IPS MC 2.2. - The following link will take you to the Service Pack 2 download http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids Customers using CSM 3.0.1: - The Engine updates will require the customer to verify and/or install the IPS Patch. - The following link will take you to the IPS Patch: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app Customers using CSM 3.1: - No action required, engine updates are supported ANNOUNCING AVAILABILITY OF IPS VERSIONS 6.0(3)E1 & 5.1(6)E1 SERVICE PACKS The 6.0(3)E1 and 5.1(6)E1 Service Packs for Cisco IPS Version 6.0 and 5.1 sensors are now available for download. These releases contain bug-fixes, the E1 engine update, and the S291 signature update release. Also included in this release are system and recovery images that can be used to completely re-image a sensor to 6.0(3)E1 or 5.1(6)E1. Note: System and recovery images are intended primarily for disaster recovery and should not be used to upgrade your sensor as all configuration settings will be lost. To upgrade your sensor and maintain configuration settings, the service pack files should be used. For installation instructions and details regarding the bug-fixes delivered in these service packs, refer to the readme files available at the URLs listed below. The 6.0(3)E1 and 5.1(6)E1 service pack, recovery image, and system image files can be downloaded from Cisco.com at the URLs listed below. You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site and have an active Cisco Service for IPS maintenance contract to request software upgrades from Cisco.com. 6.0(3)E1 Service Pack Files: Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6 CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates 6.0(3)E1 System and Recovery Image Files: Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-system ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-asa-aip IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-cat6500-idsm2-sys NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-nm-image-files 5.1(6)E1 Service Pack Files: Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates 5.1(6)E1 System and Recovery Image Files Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-asa-aip IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-cat6500-idsm2-sys NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-nm-image-files ======================================================================== IPS 5.1(5)E1 AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ------------------------------------------------------------------------ Note: Beginning with S288, signature updates have a minimum required version of 5.1(5)E1. You must be running IPS version 5.1(5)E1 or later to install signature update S293 or later. ------------------------------------------------------------------------ ---------------------------------------------------------------------- NOTE: All signature updates are cumulative. The S293 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S293-req-E1.pkg upgrade file can be applied to the following sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3660, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) The sensor must report the version of sensor as 5.1(5)E1 or later before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: This signature update may take a while to install depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the applicable Command Reference Guide located at the following urls: IPS Version 6.0: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/cmdref/crcmds.htm#wp458440 IPS Version 5.1: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cmdref/crcmds.htm#wp458440 ------------------------------------------------------------------------ WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the S293 signature update on a 5.1(5)E1 or later sensor: 1. Download the binary file IPS-sig-S293-req-E1.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S293-req-E1.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S293-req-E1.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S293 signature update and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ CAVEATS None. ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS You can only apply the IPS-CS-MGR-sig-S293-req-E1.zip signature update file to CSM 3.0 or later and IPS MC version 2.2 or later. ------------------------------------------------------------------------ Note: Beginning with S288, signature updates have a minimum required version of 5.1(5)E1. You must be running IPS version 5.1(5)E1 or later to install signature update S293 or later. ------------------------------------------------------------------------ INSTALLATION To install the version S293 signature update on CSM or IPS MC, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/etc/ids/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using IPS MC, follow the uninstallation instructions listed in the SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS None. ======================================================================== IPS 5.x EVENT VIEWER SUPPORT The IPS Event Viewer (IEV) Version 5.2(1) supports IPS 5.0 and later releases. IEV Version 5.2(1) can be downloaded from CCO at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev Refer to the readme for installation instructions. NOTE: Signature information is now dynamically retrieved from the sensor(s). It is no longer necessary to install a separate IEV signature update package for each new signature update. The following additional applications can be used for event monitoring: - IDS Security Monitor Version 2.1 or later - CLI - IDM - CS MARS For details on using CLI or IDM refer to the user documentation available at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/index.htm For more information on CS-MARS, visit: http://www.cisco.com/en/US/products/ps6241/index.html ======================================================================== S291 SIGNATURE UPDATE DETAILS TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5829.0 Invalid SSL Packet SERVICE-GENERIC Medium True CSCsi10673 Details: The intermediate instructions has been modified to increase fidelity. The signature name has changed. 5871.0 Urlmon.dll COM Object STRING-TCP High True CSCsj31189 Instantiation Details: The signature has been modified to increase fidelity. The signature name has changed. CAVEATS None. ======================================================================== S290 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5775.1 MHTML Redirection STRING-TCP Low True 5868.0 IE Navigation Cancel Page Spoofing Vulnerability STRING-TCP Medium True 5869.0 Internet Explorer CSS Tag Memory Corruption STRING-TCP High True 5870.0 Win32 API Vulnerability STRING-TCP High True 5871.0 License Manager ActiveX Control Instantiation STRING-TCP High True 5873.0 Microsoft Speech API 4 ActiveX Overflow STRING-TCP High True 5874.0 Microsoft Speech API 4 ActiveX Overflow STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3403.0 Telnet Excessive Environment Options STRING-TCP High False CSCsj21903 Details: The signature was disabled and retired. CAVEATS None. ======================================================================== S289 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3328.0 Windows SMB/RPC NoOp Sled STRING-TCP Medium True CSCsj06346 Details: The regex of this signature has been modified to improve signature fidelity. 5596.0 Windows SMB/RPC NoOp Sled SERVICE-SMB-ADVANCED Medium True CSCsj06346 Details: The regex of this signature has been modified to improve signature fidelity. 5751.0 Ultr@VNC Client Overflow STRING-TCP High True CSCsg34564 Details: The regex of this signature has been modified to improve signature fidelity. CAVEATS None. ======================================================================== S288 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5866.0 IBM Lotus Domino IMAP CRAM-MD5 Overflow STRING-TCP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S287 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5843.0 CA BrightStor Tape Engine Overflow SERVICE-MSRPC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S286 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5865.1 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True CSCsi84401 Details: The regex of this signature has been modified to improve signature fidelity. The following signatures have been retired to resolve CSCsi84693: SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5642.0 DirectShow Overflow STRING-TCP Info False CSCsi84693 5642.1 DirectShow Overflow STRING-TCP Info False CSCsi84693 5642.2 DirectShow Overflow STRING-TCP Medium False CSCsi84693 5642.3 DirectShow Overflow META High False CSCsi84693 6004.0 IOS HTTP Server Iframe Command Injection STRING-TCP High False CSCsi84693 CAVEATS None. ======================================================================== S285 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5860.0 IOS FTPd Successful Login META Low True 5860.1 IOS FTPd Successful Login STRING-TCP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S284 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5840.2 Internet Explorer CLSID Code Execution STRING-TCP High True 5862.0 Outlook Web Access UTF Character Script Execution MULTI-STRING High True 5863.0 Internet Explorer CAPICOM.Certificates Remote Code Execution META High True 5863.1 Internet Explorer CAPICOM.Certificates Remote Code Execution STRING-TCP Info True 5863.2 Internet Explorer CAPICOM.Certificates Remote Code Execution STRING-TCP Info True 5864.0 Exchange Server IMAP Literal Processing Vulnerability STRING-TCP Medium True 5865.0 Microsoft WMS Arbitrary File Rewrite Vulnerability META High True 5865.1 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True 5865.2 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5840.0 Internet Explorer CLSID Code Execution STRING-TCP High True CSCsi55663 Details: Regex was modified to increase fidelity. 5689.0 MSSQL Resolution Service ATOMIC-IP Medium True CSCsi74017 Keep-Alive DoS Details: To increase fidelity, udp-valid-length parameter for this signature has been modified from 2 to 2-30000. The following signatures have been retired to resolved CSCsi70742 : SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3161.0 FTP realpath Buffer Overflow STRING-TCP High False CSCsi70742 3161.1 FTP realpath Buffer Overflow STRING-TCP High False CSCsi70742 3235.0 showHelp CHM File Execution Weakness STRING-TCP High False CSCsi70742 3235.1 showHelp CHM File Execution Weakness STRING-TCP High False CSCsi70742 3252.0 Microsoft Agent ActiveX Control STRING-TCP Low False CSCsi70742 3340.0 Windows Shell External Handler STRING-TCP High False CSCsi70742 3346.0 Windows TSShutdn.exe Attempt STRING-TCP Info False CSCsi70742 3353.0 SMB Request Overflow STRING-TCP Medium False CSCsi70742 3353.1 SMB Request Overflow META High False CSCsi70742 3353.2 SMB Request Overflow META High False CSCsi70742 3409.0 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 3409.1 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 3409.2 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 5407.0 IIS PCT Overflow STRING-TCP High False CSCsi70742 5409.0 Microsoft HCP Remote Code Execution STRING-TCP High False CSCsi70742 5409.1 Microsoft HCP Remote Code Execution STRING-TCP High False CSCsi70742 5446.0 Internet Explorer Install Engine Overflow STRING-TCP High False CSCsi70742 5645.0 SSH URI Handler STRING-TCP Low False CSCsi70742 5730.0 Winamp Playlist File Handling Buffer Overflow STRING-TCP High False CSCsi70742 5774.0 Windows Media Player PNG Processing Remote Code Execution STRING-TCP High False CSCsi70742 5793.0 SMB Server Driver Remote Execution STRING-TCP High False CSCsi70742 5818.0 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.2 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.4 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.6 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.8 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.10 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 CAVEATS None. ======================================================================== S283 SIGNATURE UPDATE DETAILS NEW SIGNATURES PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED 5.x,6.x 5855.0 Helix Remote Code Execution STRING-TCP High True 5.x,6.x 5861.0 Cisco CNS Netflow Collection SERVIE-HTTP High True Engine Default Password 5.x,6.x 5861.1 Cisco CNS Netflow Collection STRING-TCP High True Engine Default Password TUNED SIGNATURES PLATFORM SIGID SIGNAME DDTS 5.x,6.x 5858.4 DNS Server RPC Interface Buffer Overflow CSCsi56228 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S282 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.1 DNS Server RPC Interface Buffer Overflow META High True 5858.2 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.3 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.4 DNS Server RPC Interface Buffer Overflow ATOMIC-IP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True CSCsi53171 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S281 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S280 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5851.0 WCS Administrative Directory Access SERVICE-HTTP Low True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S279 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5748.4 Non-SMTP Session Start STRING-TCP Info True 5748.5 Non-SMTP Session Start STRING-TCP Info True 5848.0 Content Management Service Cross-site Scripting SERVICE-HTTP High True 5849.0 Microsoft Content Management Server Vulnerability SERVICE-HTTP High True 5854.1 Cisco CUCM/CUPS Denial of Service Vulnerability STRING-TCP Medium True 5856.0 Agent URL Parsing Remote Code Execution META High True 5856.1 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5856.2 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5857.0 UPnP Memory Corruption Vulnerability META High True 5857.1 UPnP Memory Corruption Vulnerability STRING-TCP Info True 5857.2 UPnP Memory Corruption Vulnerability STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5606.0 SMB Authorization Failure SERVICE-SMB-ADVANCED Info True CSCsi28135 Details: Event count set to 3. 5748.0 Non-SMTP Session Start META Low True CSCsi13918 Details: Additional component signatures were added to increase signature fidelity. 5788.0 ICCP Invalid TPKT Protocol STRING-TCP Low False CSCsi41363 Details: Regex was modified for cross-platform support. 5846.0 FTP 230 Reply Code STRING-TCP Info True CSCsi30977 Details: Regex was modified to increase fidelity. CAVEATS None. ========================================================================