'Re: [Snort-sigs] new rule for detecting VxWorks debugging reply access'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] new rule for detecting VxWorks debugging reply access
From:       Eric G <eric () nixwizard ! net>
Date:       2012-06-20 1:17:19
Message-ID: CAFzrbiFLhmTQmktqQ3DF1-hH-_4DwxzZHopiHR8WuV8i6wyfwQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Tue, Jun 19, 2012 at 5:40 PM, Tony Robinson <trobinson@sourcefire.com>wrote:

> I've seen this rule fire a couple of times in the past. Most times I've
> seen this rule tripped in the past, it was a vulnerability scanner
> attempting to scan a target.


+1.. same experience here. Our in-house vuln scanner causes this one to
fire off on its regularly scheduled scan dates.

If you know you don't have any VxWorks based devices (which might be
somewhat difficult to determine... there are a lot of RTOS embedded devices
that are VxWorks based, like newer Linksys WRT54Gs for example...) you
could disable that rule if it's generating a lot of noise

--
Eric

[Attachment #5 (text/html)]

<div class="gmail_quote">On Tue, Jun 19, 2012 at 5:40 PM, Tony Robinson <span \
dir="ltr">&lt;<a href="mailto:trobinson@sourcefire.com" \
target="_blank">trobinson@sourcefire.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> I&#39;ve seen this rule fire a couple of times in the past. \
Most times I&#39;ve seen this rule tripped in the past, it was a vulnerability \
scanner attempting to scan a target.</blockquote><div><br></div>+1.. same experience \
here. Our in-house vuln scanner causes this one to fire off on its regularly \
scheduled scan dates.</div> <div class="gmail_quote"><br></div><div \
class="gmail_quote">If you know you don&#39;t have any VxWorks based devices (which \
might be somewhat difficult to determine... there are a lot of RTOS embedded devices \
that are VxWorks based, like newer Linksys WRT54Gs for example...) you could disable \
that rule if it&#39;s generating a lot of noise</div> <div \
class="gmail_quote"><br></div><div class="gmail_quote">--</div><div \
class="gmail_quote">Eric<br><div><br></div></div>



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic