[Snort-sigs] Possible rule for samba-2.2.XX exploit

Joerg Weber j.weber at ...1338...
Thu Apr 10 02:33:02 EDT 2003


Ladies and Gents,

what do you think about the following suggestion for catching the
samba-2.2.XX exploit?
I've verified that the rule catches linux/*BSD shellcodes and it doesn't
seem to trigger false positives.
I'm not sure wether the depth-parameter is needed/useful, though.
This exploit is also caught by the SHELLCODE x86 NOOP Rule, which might
be disabled due false positives.

Any comments are welcome, I'm quite sure there is room for improvement
;)


alert tcp $ANY any -> $ANY 139 ( sid: 1000009; rev: 1; msg:
"netric/eSDee samba Exploit"; flow: to_server,established; content: "|00
D0 07 0C 00 D0 07 0C 00|"; content: "|90 90 90|"; content: "|D0 07 43 00
0C 00 14 08 01|"; depth: 120; classtype: attempted-admin;)

Regards,

Joerg

-- 
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.weber at ...1338...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030410/60b9a6df/attachment.sig>


More information about the Snort-sigs mailing list