[Snort-sigs] SMBdie exploit (MS02-45)

Tod Beardsley todb at ...794...
Wed Aug 28 17:43:02 EDT 2002


Kevin Rowland (Tuesday, August 27, 2002, 3:32 PM) wrote:

> For any interested... Here's a rule I'm using to catch the recently
> posted SMBdie concept code for the MS02-45 Advisory.

> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS SMBdie attack"; 
> flags: A+; content:"|57724c65680042313342577a|"; reference: bugtraq,5556; 
> reference:cve,CAN-2002-0724; classtype: attempted-dos;)

Assuming your network doesn't expect any Samba machines in the
WORKGROUP domain, this should also catch SMBdie.exe:

alert tcp any any -> any 139 (msg: DOS SMBdie attack"; flags: PA+;
content:"|574f524b47524f555000556e69780053616d6261|";
reference:bugtraq,5556; reference:cve,CAN-2002-0724; 
classtype: attempted-dos;)

I only mention it because this will catch it during the setup phase of
the SMB session. This will buy auto-responding IDS's a few extra
milliseconds to react before the killer packet gets sent.

-- 
Tod Beardsley (GCIA, MCSE)
"It's okay to yell fire in a crowded theater
if the theater is actually on fire."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2217 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020828/c095ffb3/attachment.bin>


More information about the Snort-sigs mailing list