[Snort-sigs] DCom RPC attack response sig

Esler, Joel Contractor joel.esler at ...783...
Tue Aug 5 15:20:02 EDT 2003


<snip>
alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC 
System Shell Exploit Response"; flow:from_server,established; content:"|3a 
5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)

</snip>

Our research showed that this wouldn't work...  We have written three that
work in our area.

alert tcp any any -> any any (msg:"Suspected RPC DCOM System Shell Exploit
Responce"; flow:from_server,established; flags: PA; content:"|4d 69 63 72 6f
73 6f 66 74 20 57 69 63 64 6f 77 73|"; classtype:successful-admin;)
alert tcp any 135 -> any any (msg:"Suspected RPC DCOM Successful Shell
Exploit Response"; flags: F+; content:"|80 11 fa f0|";
classtype:successful-admin;)
alert tcp any any -> any any (msg:"RPC DCOM Shell Generation"; flags: S+;
content:"|00 00 02 04 05 b4 04 02 08 0a|"; classtype:successful-admin;)




More information about the Snort-sigs mailing list