File: 1239.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (69 lines) | stat: -rw-r--r-- 1,570 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Rule:

--
Sid:
1239

--
Summary:
This event is generated when an attempt is made to execute the RFParalyze DoS
exploit.

--
Impact:
If the destination machine is vulnerable, it may start behaving
unpredictably.  Succesful exploitation may lead to a full system crash 
or may cause certain services to become unavailable.

--
Detailed Information:
This signature triggers on execution of RFParalyze, an exploit written 
in 2000 by Rain Forest Puppy.  It was based on a binary exploit called 
"whisper", which was used in the wild at that time.  This exploit 
performs a NetBIOS session request with a source host of NULL, which is 
incorrectly handled by Windows 95/98 hosts.

--
Affected Systems:
	Windows 95
	Windows 98

--
Attack Scenarios:
An attacker can crash critical machines, thereby
preventing them from being accessed by legitimate clients.

--
Ease of Attack:
Simple.  Exploit code exists.

--
False Positives:
None known.

--
False Negatives:
Potential future versions of this exploit, which may use
different message strings, will not be detected by this rule.

--
Corrective Action: 
Patches are not available from the vendor.

Use a packet filtering firewall to block inbound traffic to port 139/TCP from
all untrusted networks & hosts

Upgrade critical machines to a more recent and supported version of the
operating system.

--
Contributors:
Snort documentation contributed by Maarten Van Horenbeeck (maarten@daemon.be)
Original Rule Writer Unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--