Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Farewell 6Bone

Published: 2006-06-05
Last Updated: 2006-06-06 02:09:13 UTC
by Jim Clausing (Version: 1)
0 comment(s)
After 10 years, today (6/6/06, yes, I'm not going to make any snide remarks about the date), the experimental IPv6 network 6Bone is going dark.  There is now enough real IPv6 infrastructure that the venerable 6Bone is no longer necessary.

-------------------------
Jim Clausing, jclausing at isc dot sans dot org
Keywords:
0 comment(s)

Snort URL evasion vulnerability patched and version 2.6.0 available

Published: 2006-06-05
Last Updated: 2006-06-06 02:02:33 UTC
by George Bakos (Version: 1)
0 comment(s)
The Snort NIDS (http://www.snort.org) vulnerability that was discussed last week (http://isc.sans.org/diary.php?storyid=1373) has been addressed by the Snort team. The latest version, 2.4.5, fixes two vulnerabilites what might have allowed an attacker to send malicious web requests undetected by Snort. Get it at snort.org.

Late breaking news flash! Snort 2.6.0 is out. According to Jennifer Steffens of Sourcefire, the new release includes:
  • Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
  • Added configurable stream flushpoints.
  • Improved rpc processing.
  • Improved portscan detection.
  • Improved http request processing and handling of possible evasion cases.
  • Improved performance monitoring.
There is also dynamic rules processing and a new version numbering scheme. http://www.snort.org/pub-bin/snortnews.cgi
Keywords:
0 comment(s)

Windows Alternate Data Streams Revisited

Published: 2006-06-06
Last Updated: 2006-06-06 17:40:06 UTC
by George Bakos (Version: 2)
0 comment(s)
An oldie but goodie has reared its familiar head, this time in the manner of a posting to Bugtraq and Full Disclosure lists. Windows NTFS supports multiple streams of data for any given file (http://support.microsoft.com/kb/105763). While the functions that access ADSs are clearly defined by Microsoft, very few Windows tools can view these alternate data streams (ADS) without some added help. In addition, many third-party software developers ignore the possible presence of ADSs, thus providing a wonderful storage location for malicious code.

The Bugtraq posting http://www.securityfocus.com/archive/1/435962/30/0/threaded mentions a few antivirus tools that fail to detect known malware when stored as ADSs. The Internet Storm Center has not tested any of these claims, but we have no reason to dispute them as we have seen this time and time again.

Ryan Means wrote an excellent paper (GCWN honors) that discusses Alternate Data Streams in depth, presents a number of tools to locate and manipulate ADSs, and presents an extension to Windows Explorer to directly report the presence of ADSs. You can pull it from the SANS Reading Room at: http://www.sans.org/rr/whitepapers/honors/1503.php and the tool he wrote can be found at http://www.giac.org/certs/download.php?w=gcwn_0230_2
Keywords:
0 comment(s)
Diary Archives