[Xpress] RealSecure Network Sensor XPU 20.1 and XPU/Service Release 4.4 Now Available!

From: ISS Customer Relations (bpq@iss.net)
Date: 06/19/02 

To: xpress@iss.net
From: ISS Customer Relations <bpq@iss.net>
Date: Wed, 19 Jun 2002 14:37:35 -0400

RealSecure® Network Sensor XPU 20.1 and XPU/Service Release 4.4 are now
available from the ISS Download Center: <http://www.iss.net/download/>. XPU
20.1 is for Network Sensor 7.0, Service Release (SR) 4.4 is for Network
Sensor 6.5, and XPU 4.4 is for Network Sensor 6.0. Included in these
releases are 20 new events including protocol anomaly detections and
signatures.

PROTECTION BENEFITS
· Web and Application Servers. XPU 20.1 and SR 4.4 include detection
for denial-of-service attacks on Apache web servers, Netscape Enterprise
Server, iPlanet web servers, and Microsoft Commerce Servers. Detection is
included for buffer overflows in IIS web servers and Oracle Application
Servers. Detection for an issue with Apache HTTP Server is also included,
as well as Spida Worm propagation detection.

· Peer-to-Peer and Remote Control Applications. This release augments
RealSecure’s strong peer-to-peer protection capabilities with detection of
AOL instant messenger buffer overflows, IRC messages, Yahoo Instant
Messenger logins, as well as traffic from backdoors that are controlled
through an IRC network. Detection is included for GotoMyPc.com logins,
which indicate systems being remotely controlled.

· Other Events. Several events are included to detect Border Gateway
Protocol anomalies. Events are included to detect InfraTrojan, Intruzzo,
Litmus, and GT (Global Threat) Bot backdoors. Detection for a buffer
overflow in Internet Explorer is also included.

NEW EVENTS IN XPU 20.1 and SR 4.4

SecChkID ProductCheckName Event Type Risk Level
------- ---------------- --------- ----------
9124* SQL_Spida_Worm Suspicious Activity High
7815 HTTP_Apache_PHP Unauthorized Access Attempt High
8589** HTTP_Apache_DOS_Batch_Command Unauthorized Access Attempt High
8795 HTTP_IIS_ASP_Chunked_Overflow Unauthorized Access Attempt High
8254 HTTP_AuthFilter_ISAPI_Overflow Protocol Signature High
8116 HTTP_IE_HTML_Embed_Overflow Protocol Signature High
8457** HTTP_OracleAdmin_help_overflow Unauthorized Access Attempt High
7842 HTTP_Netscape_Rend Denial of Service Medium
9166 HTTP_GoToMyPCDOTCom_Connection Suspicious Activity Medium
8666 IRC_Global_Threat Unauthorized Access Attempt High
9049 IRC_Litmus Protocol Signature Medium
9050 IRC_Notice Protocol Signature Low
9017 AOLIM_AddExternalApp_Overflow Protocol Signature High
8290 YahooMSG_Login Protocol Signature Low
9022 Intruzzo_TCP_Response Unauthorized Access Attempt High
9081 InfraTrojan_Request Protocol Signature High
9134 BGP_New_Route Protocol Signature Low
9135 BGP_Route_Unreachable Protocol Signature Low
9136 BGP_Notify_Msg Protocol Signature Low
9137 BGP_Illegal_Size Protocol Signature Low

* This event should replace the user-defined connection event recommended
in the X-Force Alert on May 21, 2002.
** These events are excluded from Network Sensor 7.0 XPU 20.1 since they
already exist in 7.0.

SECURITY CONTENT BUG FIXES

Several existing events are improved in this release for Network Sensor 6.x.
· SNMP_Long_Community_String ( 8167 )
· Traceroute
· Glacier_backdoor
· Instant Messenger message events (AIM, MSMsgr, Yahoo, ICQ) have
been modified to report the message text as the first field in the response.
· Mstream_Master/Zombie
· Imail_Ldap_Overflow
· HTTP_IIS_ASP_Header_Overflow
· IP_Protocol_Violation
· MSMessenger Login & Message
· IIS Evasion events refactored to prevent false positives. These
include: HTTP_IIS_Unicode_Encoding,
HTTP_IIS_Unicode_Wide_Encoding, HTTP_IIS_Double_Eval_Evasion,
HTTP_IIS_Hex_Evasion, HTTP_IIS_Percent_Evasion, and HTTP_IIS_UTF8_Evasion.

OTHER BUG FIXES FOR NETWORK SENSOR 6.5

Several bug fixes are included in SR 4.4 for Network Sensor 6.5 for Nokia,
making this a Service Release for 6.5 Nokia sensors. These bug fixes are
not included in XPU 4.4 for Network Sensor version 6.0, which is a security
content only release.
· RealSecure for Nokia 6.5 sensors with 256 megs of ram will have the
TCP stream count automatically throttled to avoid memory consumption which
can result in a SIGCHLD error.
· A memory leak has been corrected in Nokia 6.5 sensors.
· An issue that caused zombie processes in Nokia 6.5 sensors has been
corrected.

VERSIONS/PLATFORMS

XPU 20.1 supports Network Sensor 7.0 on Windows 2000. XPU/SR 4.4 supports
Network Sensor 6.5/6.0 on Solaris, Windows NT, Windows 2000 and the Nokia
appliance platforms. Supported management consoles include Workgroup
Managers 6.6, 6.5, and 6.0 and SiteProtector 1.2.

**IMPORTANT NOTE FOR NETWORK SENSOR 7.0 CUSTOMERS**

It is important that Workgroup Manager version 6.5 is upgraded to version
6.6 prior to applying XPU 20.1 to sensors. If Workgroup Manager 6.5
connects to a Network Sensor 7.0 with XPU 20.1 installed, it will receive
events, but will not be able to manage the sensor until the Workgroup
Manager version is upgraded. Customers may upgrade to Workgroup Manager 6.6
by connecting to a 7.0 sensor that does not yet have XPU 20.1 applied, or
by using the Workgroup Manager Upgrade Utility available at
www.iss.net/download <http://www.iss.net/download>.

_______________________________________________
Xpress mailing list
Xpress@iss.net

Quantcast