[Snort-sigs] CDE dtspcd exploit attempt first cut

Chris Green cmg at ...26...
Mon Jan 14 13:51:03 EST 2002


alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 \
     (msg: "CDE dtspcd exploit attempt"; \
      reference: cve,CAN-2001-0803; \
      reference: url,www.cert.org/advisories/CA-2002-01.html; \
      flags: A+; \
      content: "103e"; offset: 10; depth: 14;)

I don;t like this because it looks for that content in the same spot
but I don't know enough about dtspcd and the protocol ( nor having a
test box for it ) to see if that first part is static or not ).

According to the advisory, any value over 1000 will be an exploit so
perhaps is the right sig:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 \
     (msg: "CDE dtspcd exploit attempt"; \
      reference: cve,CAN-2001-0803; \
      reference: url,www.cert.org/advisories/CA-2002-01.html; \
      flags: A+; \
      content: "1"; offset: 10; depth: 1;
      content: !"000"; offset: 13; depth: 3;)

I like the latter but would someone please check my byte counting
skills.

Here is the cleaned up packet from their advisory

09:46:04.378306 10.10.10.1.3592 > 10.10.10.2.6112: P 1:1449(1448) ack 1 win 16060 <nop,nop,timestamp 463986683 4158792> (DF)
0x0000 4500 05dc a1ac 4000 3006 241c 0a0a 0a01 E..... at ...252...$.....
0x0010 0a0a 0a02 0e08 17e0 fee2 c115 5f66 192f ...f........_f./
0x0020 8018 3ebc e1e9 0000 0101 080a 1ba7 dffb ..>.............
0x0030 003f 7548 3030 3030 3030 3032 3034 3130 .?uH000000020410
0x0040 3365 3030 3031 2020 3420 0000 0031 3000  3e0001..4....10.
0x0050 801c 4011 801c 4011 1080 0101 801c 4011  .. at ...253...@....... at ...180...
0x0060 801c 4011 801c 4011 801c 4011 801c 4011  .. at ...253...@... at ...253...@.
-- 
Chris Green <cmg at ...26...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-sigs mailing list