NetProwler 3.5.1 Security Update 7

June 15, 2001

NetProwler 3.5.1 Security Update 7

Description

NetProwler 3.5.1 SU7 introduces signatures that detect conflicting TCP flags, FrontPage path disclosure, buffer overflows style attacks for FTP, Solaris snmpXdmid, print spooler, and statd services. It also strengthens the already existing NetProwler Girlfriend, CodeBrws_CGI, Perl_CGI, URL_Directory_Traversal, and URL_Hex_Characters signatures. This update contains eighteen new signatures. You may obtain NetProwler 3.5.1 SU7 through the product's auto update feature.

Security Update 7 Signatures

CodeBrws_CGI

SiteServer sample, codebrws.asp, allows remote users to view any file on the file system.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0736
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0737
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0738

DNS_IQuery_BufferOverflow

Detects the attempt to obtain root through DNS using improperly formatted inverse queries.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0009

DNS_NXT_BufferOverflow

Detects the attempt to obtain root through DNS using invalid NXT Records.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0833

DNS_TSig_BufferOverflow

Detects the attempt to obtain root through DNS using tsig improper bounds checking. This exploit is considered to be part of the Lion Internet Worm.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0010

FrontPage_Path_Disclosure

Detects attempts of passing non-existent files in order to display the full local path to the web server.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0413

Girlfriend

Girlfriend is a trojan horse program similar to Back Orifice. Girlfriend activity indicates that the network resource has been compromised.

http://www.cert.org/advisories/CA-1999-02.html

Icmp_Mask_Request

Detects the attempts to obtain subnet mask information.

Icmp_Time_Request

Detects the attempts to obtain system time information.

Linux_LPRng_Root

Detects the attempt to obtain root through the Berkeley LPR print spooler. This exploit is considered to be part of the Ramen and ADORE Internet Worms.

http://www.securityfocus.com/bid/1712

Linux_Statd_Root

Detects the attempt to obtain root through rpc.statd.

Nmap_Ping

Detects the usage of pings within the enumeration and reconnaissance tool nmap.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0454

Perl_CGI

Detects attempts to execute remote commands on a web server through the perl interpreter.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0509

Solaris_snmpXdmid_Root

Detects the attempt to obtain root through the snmpXdmid using malicious DMI requests.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0236

Tcp_Syn_Fin

A TCP packet containing conflicting flags can be used to identify IP implementations, or potentially as a denial of service.

Tcp_Xmas_Scan

A TCP packet containing conflicting flags can be used to identify IP implementations, or potentially as a denial of service.

WUFTP_Printf_Root

Detects the attempt to obtain root through FTP SITE EXEC Commands.

URL_Directory_Traversal

Detects directory traversal attempts in a URL.

http://www.securityfocus.com/bid/1806

URL_Hex_Characters

Detects escaped hex characters in a URL.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0304

Last modified on: Wednesday, 06-Feb-02 16:44:18