[Snort-sigs] DCom RPC attack response sig

Michael Anuzis michael_anuzis at ...12...
Tue Aug 5 16:42:06 EDT 2003


The any - 4444 rule will only work via the Windows based exploit that opens 
the shell on port 4444 to netcat to. It won't work for the UNIX variant. 
Also, now that the script-kids have supposedly switched their port from 4444 
to 3333 it would be a good idea to use the any any as suggested.

One small typo that may want to get corrected before the rules are added to 
the list would be in the first rule:
Responce  --> Response


Michael Anuzis, CCNA
Network Security Consultant
CTO, Anuzis Networking Inc.


>From: "Esler, Joel  Contractor" <joel.esler at ...783...>
>To: "'snort-sigs at lists.sourceforge.net'" <snort-sigs at lists.sourceforge.net>
>Subject: RE: [Snort-sigs] DCom RPC attack response sig
>Date: Wed, 30 Jul 2003 12:12:22 -0400
>
>
><snip>
>alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC
>System Shell Exploit Response"; flow:from_server,established; content:"|3a
>5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)
>
></snip>
>
>Our research showed that this wouldn't work...  We have written three that
>work in our area.
>
>alert tcp any any -> any any (msg:"Suspected RPC DCOM System Shell Exploit
>Responce"; flow:from_server,established; flags: PA; content:"|4d 69 63 72 
>6f
>73 6f 66 74 20 57 69 63 64 6f 77 73|"; classtype:successful-admin;)
>alert tcp any 135 -> any any (msg:"Suspected RPC DCOM Successful Shell
>Exploit Response"; flags: F+; content:"|80 11 fa f0|";
>classtype:successful-admin;)
>alert tcp any any -> any any (msg:"RPC DCOM Shell Generation"; flags: S+;
>content:"|00 00 02 04 05 b4 04 02 08 0a|"; classtype:successful-admin;)
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail





More information about the Snort-sigs mailing list