[Snort-sigs] DCom RPC attack response sig

CK Ng ckng at ...1745...
Mon Aug 11 06:42:08 EDT 2003


Tested few exploits, but none of the rules below is triggered..
Checking throught the packets, wondering how you get the content signature??

Any suggestion??

Regards,
CK Ng

----- Original Message ----- 
From: "Esler, Joel Contractor" <joel.esler at ...783...>

<..snip..>
alert tcp any any -> any any (msg:"Suspected RPC DCOM System Shell Exploit
Responce"; flow:from_server,established; flags: PA; content:"|4d 69 63 72 6f
73 6f 66 74 20 57 69 63 64 6f 77 73|"; classtype:successful-admin;)
alert tcp any 135 -> any any (msg:"Suspected RPC DCOM Successful Shell
Exploit Response"; flags: F+; content:"|80 11 fa f0|";
classtype:successful-admin;)
alert tcp any any -> any any (msg:"RPC DCOM Shell Generation"; flags: S+;
content:"|00 00 02 04 05 b4 04 02 08 0a|"; classtype:successful-admin;)







More information about the Snort-sigs mailing list