List Info

Thread: False Positive Report: 2001873
False Positive Report: 2001873
user name
 2006-09-14 20:57:47 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are getting a high rate of false positives on this
signature for
legitimate Exchange traffic caused by link state exchange
information
between routing groups within an Exchange environment. Did
that FP
Report page ever go up?

This should be documented somewhere that this signature will
fire FPs on
this type of traffic. Packet payload below:


- --------------------------------------------

APPLIED WATCH EVENT INFORMATION:
Alert ID: 6399326
Priority: 3
Timestamp: Thu Sep 14 15:05:20 CDT 2006
Signature ID : 2001873
Message: BLEEDING-EDGE EXPLOIT MS Exchange Link State
Routing Chunk
(maybe MS05-021)

IP HEADER INFORMATION:
Ver: 4
Length: 182
Flags: 4
Checksum: 48854
Hlen: 5
ID: 32633
TTL: 124
Source IP: 10.0.8.20
TOS: 0
Offset: 0
Proto: 6
Dest IP: 172.29.1.193

TCP PROTOCOL INFORMATION:
Source Port: 47267
Dest Port: 25
Seq #: 3717081912
Ack: 2572051777
Offset: 5
Flags: * * * A P * * *
Window: 64791
Checksum: 46136
URP: 0

PAYLOAD INFORMATION:
4500 00b6 7f79 4000 7c06 bed6 0a00 0814 ac1d    E....y.|.........
01c1 b8a3 0019 dd8e 2b38 994e 6541 5018 fd17   
........+8.NeAP...
b438 0000 582d 4c49 4e4b 3253 5441 5445 204c   
.8..X-LINK2STATE L
4153 5420 4348 554e 4b3d 7b30 3030 3030 3036    AST
CHUNK={0000006
617d 204d 554c 5449 2028 3529 2028 7b30 3030    a} MULTI (5)
({000
3030 3035 317d 2044 4947 4553 545f 5155 4552    00051}
DIGEST_QUER
5920 3839 3833 6131 3039 6130 3261 3762 3463    Y
8983a109a02a7b4c
3933 3065 3330 3837 3838 3535 6234 6361 2062   
930e30878855b4ca b
6138 3963 6133 3738 3630 6561 6630 3632 6337   
a89ca37860eaf062c7
6530 3238 6466 3632 6130 3164 3020 2029 2020   
e028df62a01d0  )
0d0a                                            ..

NOTE INFORMATION:


- --------------------------------------------


Details on this type of traffic below:


http://www.microsoft.com/technet/prodtechnol/exch
ange/guides/E2k3TechRef/2e348b33-7b1d-4bc7-9432-dfb873a0ab28
.mspx?mfr=true

Exchanging Link State Information Between Routing Groups

In an Exchange organization with routing group connectors,
link state
information is exchanged between routing groups using SMTP.
If X.400
connectors are deployed to connect routing groups, then link
state
information must be exchanged over X.400 also. To accomplish
this task,
the Exchange MTA calls the routing engine to obtain the
current MD5
digest, which is an encrypted signature that represents the
version
number for the link state table. Based on this information,
routing
engines determine whether they have the same link state
information.

Before sending messages, the local MTA sends the GUID
attribute of the
Exchange organization and the current MD5 digest in a
DIGEST_QUERY
packet to the remote MTA. When the remote MTA recognizes the
DIGEST_QUERY packet, it passes the information to its
routing engine.
The routing engine compares the digest with its own digest
copy, and
passes the comparison results back to its MTA. The remote
MTA then sends
the response back to the local MTA.


Bleeding-Edge Signature
- -------------------------
alert tcp any any -> $SMTP_SERVERS 25 (msg:
"BLEEDING-EDGE EXPLOIT MS
Exchange Link State Routing Chunk (maybe MS05-021)";
flow: to_server,
established; content:"X-LINK2STATE"; nocase;
content:"CHUNK="; nocase;
threshold: type limit, track by_src, count 1, seconds 60;
flowbits:set,msxlsa; reference:cve,CAN-2005-0560;
reference:url,isc.sans.org/diary.php?date=2005-04-12;
reference:url,www.microsoft.com/technet/security/bulletin/MS
05-021.mspx;
classtype: misc-activity; sid: 2001873; rev:6; )

- -------------------------



- --

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hinesappliedwatch.com
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.c
om

- --------------------------------------------------
Security Management for the Open Source Enterprise



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFFCcJL1va6QYTV0EMRAgOFAJ9EC6TzRdJh4WyXchbTpJZzvfN+1gCg
hdNn
zrtERfYTS9MgZBuUNo6YIFk=
=eDi6
-----END PGP SIGNATURE-----
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
False Positive Report: 2001873
user name
 2006-09-15 01:01:03 
I saw a few FPs today too. They triggered on the body of the
incoming
message below 

M

Eric Hines wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We are getting a high rate of false positives on this
signature for
> legitimate Exchange traffic caused by link state
exchange information
> between routing groups within an Exchange environment.
Did that FP
> Report page ever go up?
> 
> This should be documented somewhere that this signature
will fire FPs on
> this type of traffic. Packet payload below:
> 
> 
> - --------------------------------------------
> 
> APPLIED WATCH EVENT INFORMATION:
> Alert ID: 6399326
> Priority: 3
> Timestamp: Thu Sep 14 15:05:20 CDT 2006
> Signature ID : 2001873
> Message: BLEEDING-EDGE EXPLOIT MS Exchange Link State
Routing Chunk
> (maybe MS05-021)
> 
> IP HEADER INFORMATION:
> Ver: 4
> Length: 182
> Flags: 4
> Checksum: 48854
> Hlen: 5
> ID: 32633
> TTL: 124
> Source IP: 10.0.8.20
> TOS: 0
> Offset: 0
> Proto: 6
> Dest IP: 172.29.1.193
> 
> TCP PROTOCOL INFORMATION:
> Source Port: 47267
> Dest Port: 25
> Seq #: 3717081912
> Ack: 2572051777
> Offset: 5
> Flags: * * * A P * * *
> Window: 64791
> Checksum: 46136
> URP: 0
> 
> PAYLOAD INFORMATION:
> 4500 00b6 7f79 4000 7c06 bed6 0a00 0814 ac1d   
E....y.|.........
> 01c1 b8a3 0019 dd8e 2b38 994e 6541 5018 fd17   
........+8.NeAP...
> b438 0000 582d 4c49 4e4b 3253 5441 5445 204c   
.8..X-LINK2STATE L
> 4153 5420 4348 554e 4b3d 7b30 3030 3030 3036    AST
CHUNK={0000006
> 617d 204d 554c 5449 2028 3529 2028 7b30 3030    a}
MULTI (5) ({000
> 3030 3035 317d 2044 4947 4553 545f 5155 4552    00051}
DIGEST_QUER
> 5920 3839 3833 6131 3039 6130 3261 3762 3463    Y
8983a109a02a7b4c
> 3933 3065 3330 3837 3838 3535 6234 6361 2062   
930e30878855b4ca b
> 6138 3963 6133 3738 3630 6561 6630 3632 6337   
a89ca37860eaf062c7
> 6530 3238 6466 3632 6130 3164 3020 2029 2020   
e028df62a01d0  )
> 0d0a                                            ..
> 
> NOTE INFORMATION:
> 
> 
> - --------------------------------------------
> 
> 
> Details on this type of traffic below:
> 
> 
> http://www.microsoft.com/technet/prodtechnol/exch
ange/guides/E2k3TechRef/2e348b33-7b1d-4bc7-9432-dfb873a0ab28
.mspx?mfr=true
> 
> Exchanging Link State Information Between Routing
Groups
> 
> In an Exchange organization with routing group
connectors, link state
> information is exchanged between routing groups using
SMTP. If X.400
> connectors are deployed to connect routing groups, then
link state
> information must be exchanged over X.400 also. To
accomplish this task,
> the Exchange MTA calls the routing engine to obtain the
current MD5
> digest, which is an encrypted signature that represents
the version
> number for the link state table. Based on this
information, routing
> engines determine whether they have the same link state
information.
> 
> Before sending messages, the local MTA sends the GUID
attribute of the
> Exchange organization and the current MD5 digest in a
DIGEST_QUERY
> packet to the remote MTA. When the remote MTA
recognizes the
> DIGEST_QUERY packet, it passes the information to its
routing engine.
> The routing engine compares the digest with its own
digest copy, and
> passes the comparison results back to its MTA. The
remote MTA then sends
> the response back to the local MTA.
> 
> 
> Bleeding-Edge Signature
> - -------------------------
> alert tcp any any -> $SMTP_SERVERS 25 (msg:
"BLEEDING-EDGE EXPLOIT MS
> Exchange Link State Routing Chunk (maybe
MS05-021)"; flow: to_server,
> established; content:"X-LINK2STATE";
nocase; content:"CHUNK="; nocase;
> threshold: type limit, track by_src, count 1, seconds
60;
> flowbits:set,msxlsa; reference:cve,CAN-2005-0560;
> reference:url,isc.sans.org/diary.php?date=2005-04-12;
>
reference:url,www.microsoft.com/technet/security/bulletin/MS
05-021.mspx;
> classtype: misc-activity; sid: 2001873; rev:6; )
> 
> - -------------------------
> 
> 
> 
> - --
> 
> Best Regards,
> 
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
> 
> 
> - --------------------------------------------------
> 
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
> 
> - --------------------------------------------------
> 
> Email:   eric.hinesappliedwatch.com
> Address: 1095 Pingree Road
>          Suite 221
>          Crystal Lake, IL
>          60014
> Tel:     (877) 262-7593 ext:327
> Local:   (847) 854-5831
> Fax:     (847) 854-5106
> Web:     http://www.appliedwatch.c
om
> 
> - --------------------------------------------------
> Security Management for the Open Source Enterprise
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

> 
>
iD8DBQFFCcJL1va6QYTV0EMRAgOFAJ9EC6TzRdJh4WyXchbTpJZzvfN+1gCg
hdNn
> zrtERfYTS9MgZBuUNo6YIFk=
> =eDi6
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )