[Snort-sigs] SMBdie exploit (MS02-45)
todb at ...794...
Wed Aug 28 17:43:02 EDT 2002
Kevin Rowland (Tuesday, August 27, 2002, 3:32 PM) wrote:
> For any interested... Here's a rule I'm using to catch the recently
> posted SMBdie concept code for the MS02-45 Advisory.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS SMBdie attack";
> flags: A+; content:"|57724c65680042313342577a|"; reference: bugtraq,5556;
> reference:cve,CAN-2002-0724; classtype: attempted-dos;)
Assuming your network doesn't expect any Samba machines in the
WORKGROUP domain, this should also catch SMBdie.exe:
alert tcp any any -> any 139 (msg: DOS SMBdie attack"; flags: PA+;
I only mention it because this will catch it during the setup phase of
the SMB session. This will buy auto-responding IDS's a few extra
milliseconds to react before the killer packet gets sent.
Tod Beardsley (GCIA, MCSE)
"It's okay to yell fire in a crowded theater
if the theater is actually on fire."
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2217 bytes
Desc: S/MIME Cryptographic Signature
More information about the Snort-sigs