3080.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
3080

--
Summary:
This event is generated when a remote attacker sends an overly long "secure"
query to a host acting as an Unreal engine server.  This may
indicate an attempt to exploit a buffer overflow vulnerability.

--
Impact:
Serious. A successful buffer overflow can permit the execution of arbitrary
code on a vulnerable system.

--
Detailed Information:
Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and
available for Linux, Windows and Macintosh platforms. The Unreal engine is
used for both client and server functionality. An overly long "secure"
query can be sent to the game server, causing a buffer overflow and the
subsequent execution of arbitrary code.

--
Affected Systems:
	Multiple versions of the Unreal Engine running on Linux, Microsoft
	Windows and Macintosh platforms.

--
Attack Scenarios:
An attacker can send an overly long "secure" query to a vulnerable host, causing
a buffer overflow and the subsequent execution of arbitrary code.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
Unreal servers can be configured to run on arbitrary ports.
Administrators should either change the port used in the rule or create
a variable for the ports to be used in the rule.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to the most current nonaffected version of the software.

--
Contributors:
Sourcefire Vulnerability Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

OSVDB
http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup

--