[Snort-sigs] More DCOM sigs

JP Vossen vossenjp at ...1431...
Fri Aug 1 11:39:39 EDT 2003


At least for dcom.c and dcom48.c, the first thing it seems to do after
establishing a session is send bindstr:

C:\tmp> grep bindstr dcom*.c
dcom.c:unsigned char bindstr[]={
dcom.c:    if (send(sock,bindstr,sizeof(bindstr),0)== -1)
dcom48.c:unsigned char bindstr[]={
dcom48.c:    if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){

So doesn't it make sense to look for that?  I wrote a couple of quick sigs,
and they worked in my (limited) testing...  I know Brian has released
"official" rules, but I admit I'm not 100% sure why he did it the way he did.

Am I missing something here?  Please CC: me on replies, as I get the digest of
this list.

--- Cut Here ---

alert tcp any any -> any 135:139 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to
135-139"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0
16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00
00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00
00|";
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101000; rev:1;)

alert tcp any any -> any 445 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to 445";
content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00
00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00
00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00|";
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101001; rev:1;)

--- Cut Here ---

Thanks,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."





More information about the Snort-sigs mailing list