RealSecure Network Sensor XPU 3.3 Now Available!

From: ISS CustomerRelations (bpq@iss.net)
Date: 11/02/01 

Message-Id: <4.2.2.20011101183440.00a8f100@msgatl01.iss.net>
Date: Thu, 01 Nov 2001 18:35:29 -0500
To: xpress@iss.net
From: ISS CustomerRelations <bpq@iss.net>
Subject: RealSecure Network Sensor XPU 3.3 Now Available!

TO UNSUBSCRIBE: email "unsubscribe xpress" in the body of your message to
MAJORDOMO@ISS.NET. Contact xpress-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Network Sensor XPU 3.3 is now available from the ISS Download
Center: <http://www.iss.net/eval/eval.php>.

This XPU contains 17 new signatures, and addresses issues that affect
Solaris, HP-UX, and Windows. This XPU also includes signatures to address
mail servers, FTP servers, and an IDS evasion technique. Five existing
checks have been improved in this XPU.

PROTECTION BENEFITS OF NETWORK SENSOR X-PRESS UPDATE 3.3
· Application Protection. XPU 3.3 contains signatures that apply to
FTP servers, Qpopper mail servers, Internet Anywhere mail servers, and
SilentRunner.
· Platform Protection. XPU 3.3 contains signatures to address buffer
overflows that affect Solaris, HP-UX and Windows. Two signatures
applicable to the Cisco IOS operating system are also included.
· Other Malicious Code. This XPU contains signatures to identify IDS
evasion techniques that utilize IIS web server’s interpretation of UTF-8.

NEW SIGNATURES

SecChkID Product Check
Name Risk Level
-------- ----------------
             ---------
7284 TelnetExcessiveTabs High
6718 Solaris_LPD_Overflow High
6811 HPUX_RLPD_Overflow High
6332 FTP_Glob_Expansion High
6333 FTP_Glob_Implementation High
6180 Cisco_Cable_Docsis_SNMP_Community High
6169 Cisco_ILMI_SNMP_Community High
6730 HTTP_Frontpage_Extensions_RAD_Overflow High
7199 HTTP_IIS_Hex_Evasion Medium
7200 HTTP_IIS_UTF8_Evasion Medium
7201 HTTP_IIS_Percent_Evasion Medium
7202 HTTP_IIS_Double_Eval_Evasion Medium
6003 HTTP_Netscape_Revlog Medium
6795 POP_SilentRunner_User_Overflow High

6796 POP_SilentRunner_Pass_Overflow High
4573 POP_List_Overflow High
3988 POP_Retr_DoS Low

IMPROVED SIGNATURES
· NCX_Backdoor. This signature has been updated to detect attacks
against Win2K machines.
· HTTP_JJ. This signature has been updated to eliminate false
positives.
· HTTP_Weblogic_PluginBO. This signature has been updated to improve
accuracy.
· HTTP_Oracle_Appserver_Overflow. This signature has been updated to
improve accuracy.
· Email_Amavis_Exec. This signature has been updated to eliminate
false positives.

VERSIONS/PLATFORMS

This XPU supports Network Sensor on Solaris, Windows NT, Windows 2000 and
the Nokia appliance platforms.

This XPU supports both the 5.0 and 6.0 Network Sensor. However, each
requires a different XPU file. If your WorkGroup Manager has Internet
access, WGM will automatically select the correct files for the sensor you
choose to update. If you download the files from the download center on
the ISS web site, the file you should choose is dependent on the Network
Sensor versions in your environment.

Please note that if you are in the process of upgrading and have a mix of
both versions, 6.0 Network Sensors must be updated by 6.0 WorkGroup
Managers. 5.0 Network Sensors can be updated by both 5.5 and 6.0 WorkGroup
Managers.