RealSecure Network Sensor XPU 3.1

From: CustomerRelations (bpq@iss.net)
Date: 08/01/01


Message-Id: <4.2.2.20010731195830.00a8b340@msgatl01.iss.net>
Date: Tue, 31 Jul 2001 20:13:43 -0400
To: xpress@iss.net
From: CustomerRelations <bpq@iss.net>
Subject: RealSecure Network Sensor XPU 3.1


TO UNSUBSCRIBE: email "unsubscribe xpress" in the body of your message to
MAJORDOMO@ISS.NET. Contact xpress-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

===============================================================

X-PRESS UPDATE 3.1 FOR NETWORK SENSOR NOW AVAILABLE!

===============================================================

SUMMARY

X-Press Update 3.1 for Network Sensor contains 28 new signatures
for high risk exploits including the vulnerability utilized
by the Code Red Worm. Of the new signatures included, 10 are for
802.11 wireless LANs. This XPU also includes improvements to
existing signatures and several bug fixes.

APPLICATION PROTECTION

- Web Servers. XPU 3.1 contains signatures to address high risk
vulnerabilities including HTTP_IIS_Index_Server_Overflow
(utilized by the Code Red Worm), HTTP_IIS_ISAPI_Printer_Overflow,
HTTP_IIS_Unicode_Translation, and HTTP_IIS_URL_Decoding.

- Wireless. This XPU contains 10 signatures for 802.11 wireless LANs.
Also included are updates to the SNMP_Suspicious_Get and
SNMP_Suspicious_Set signatures to detect 12 additional events for
wireless LANs.

VERSIONS/PLATFORMS

This XPU supports Network Sensor on Solaris, Windows NT, Windows 2000
and the Nokia appliance platforms. Once this XPU has been applied,
all platforms will have the same coverage.

This XPU supports both the 5.0 and 6.0 Network Sensor. However, each
requires a different XPU file. If your WorkGroup Manager has Internet
access, WGM will automatically select the correct files for the sensor
you choose to update. If you download the files from the download center
on the ISS web site, the file you should choose is dependent on the
Network Sensor versions in your environment.

Please note that if you are in the process of upgrading and have a
mix of both versions, 6.0 Network Sensors must be updated by 6.0
WorkGroup Managers. 5.0 Network Sensors can be updated by both 5.5
and 6.0 WorkGroup Managers.

NEW SIGNATURES IN XPU 3.1

Event Name Risk Level SecChkID
--------------------------------------- ---------- --------
Compaq_Insight_Cpqlogin_Overflow High 5935
Compaq_Insight_DoS Medium 2259
Compaq_Insight_Fileread Medium 2258
Email_ExchangeStore_DoS Medium 5265
Gauntlet_CyberDaemon_Overflow High 4503
Gauntlet_ICMP_DoS High 3108
HTTP_IIS_Index_Server_Overflow High 6705
HTTP_IIS_ISAPI_Printer_Overflow High 6485
HTTP_IIS_Unicode_Translation High 5377
HTTP_IIS_URL_Decoding High 6534
HTTP_PHPNuke_Admin_Access High 5108
Lotus_Domino_SMTP_Overflow High 5993
VNC_Detected Low 1894
VNC_HTTP_Get_Overflow High 6026
VNC_Login_Failed Medium 6425
VNC_NoAuthentication Low 1988
VNC_RFBConnFailed_Overflow High 6025
HTTP_Windows_Executable High 6842

NEW WIRELESS LAN SIGNATURES

Event Name Risk Level SecChkID
--------------------------------------- ---------- --------
HTTP_3com_AirConnect_EasySetup High 6456
HTTP_3com_AirConnect_FilteringSetup High 6457
HTTP_3com_AirConnect_FirmwareSetup High 6458
HTTP_3com_AirConnect_ModemSetup High 6459
HTTP_3com_AirConnect_RFSetup High 6460
HTTP_3com_AirConnect_SecuritySetup High 6461
HTTP_3com_AirConnect_SNMPSetup High 6462
HTTP_3com_AirConnect_SpecialFunctions High 6463
HTTP_3com_AirConnect_SystemSetup High 6464
HTTP_Cisco_Aironet_Webconfig High 6465

The SNMP_Suspicious_Get and SNMP_Suspicious_Set signatures have
been updated to detect 12 additional events focused on
802.11 wireless LAN access points. More information about these
are available in the ReadMe and in online help.

Tagname OID Name
------------------------------------ ------------------------------
roamabout-secure-access-disabled RoamaboutSecureAccess
roamabout-console-password-disabled RoamaboutConsolePasswd
roamabout-wep-encryption-disabled RoamaboutEncryption
3com-ap-default-ssid 3comAirConnectSSID
3com-ap-accept-broadcast 3comAirConnectBroadcastSSID
3com-ap-acl-disabled 3comAirConnectACL
3com-ap-telnet-enabled 3comAirConnectTelnet
3com-ap-avt-disabled 3comAirConnectACLViolationTrap
3com-ap-avt-disabled 3comAirConnectSNMPTrap
cisco-aironet-broadcast-ssid AironetBroadcastSSID
ieee80211-ssid-access 80211SSID
ieee80211-wepkey-access 80211WEPKey

IMPROVED SIGNATURES IN XPU 3.1

Several signatures have been improved in this XPU:

HTTP_Shells
HTTP_Head
Napster_Command_Long
NTP_Readvar_Overflow
HTTP_Cisco_Catalyst_Exec
Devil
DNS_TSIG_Overflow
Email_Outlook_Date_Overflow
RPC_snmpXdmid_Overflow
DNS Signatures
Stream_DoS

This XPU also includes several bug fixes.