Bad day for CA. Two different issues, but we have signatures for them. Thanks to Blake Hartstein at Demarc and Shirdog.

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:”BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS”; content:”|00 00 00 00|”; offset:4; depth:4; content:”|00 00 00 03|”; distance:8; within:4; content:”|00 00 00 08|”; distance:0; within:4; content:”|00 00 00 00|”; distance:0; within:4; content:”|00 00 00 00|”; distance:4; within:4; content:”|00 00 00 00 00 00 00 00|”; distance:8; within:32; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3248; sid:2003370; rev:1; )
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:”BLEEDING-EDGE EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption”; flow:established,to_server; content:”|4e 3d 2c 1b|”; depth:4; isdataat:2891,relative; reference:cve,2007-0449; classtype:attempted-admin; sid:2003369; rev:1; )

We’ve also had a good deal of spyware and virus updates. Too numerous to mention here.

Matt

This entry was posted on Friday, February 2nd, 2007 at 12:06 am and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.