1906.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:
--
Sid:
1906

--
Summary:
This event is generated when an attempt is made to exploit a buffer
overflow associated with the Remote Procedure Call (RPC) amd service.

--
Impact:
Remote root access. This attack can permit execution of arbitrary
commands with the privileges of the user running amd, typically root.

--
Detailed Information:
The amd RPC service implements the automounter daemon on UNIX hosts. The
amd service automatically mounts and unmounts requested file systems.
There is a buffer overflow associated with amd logging that can allow
execution of arbitrary commands with the privileges of the user running
amd, typically root.

--
Affected Systems:
	BSDI BSD/OS 3.1, 4.0.1
	FreeBSD 3.0, 3.1, 3.2
	Red Hat Linux 4.2, 5.0, 5.1, 5.2, 6.0

--
Attack Scenarios:
An attacker can query the portmapper to discover the port where amd runs
and then attack the amd port. Alternatively, an attacker may attempt to
execute the exploit code on any listening port in the RPC range if the
portmapper is blocked. 

--
Ease of Attack:
Simple.  Exploit code is freely available. 

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to
RPC-enabled machines. 

Disable unneeded RPC services.

--
Contributors:
Original rule written by Max Vision <vision@whitehats.com>
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

--