[Snort-sigs] RE: Snort-sigs digest, Vol 1 #670 - 1 msg

Vuppala, Vijaybhasker (EM, GECIS) Vijaybhasker.Vuppala at ...1747...
Mon Aug 11 23:20:09 EDT 2003


signature list..

-----Original Message-----
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net]
Sent: Tuesday, August 12, 2003 9:04 AM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #670 - 1 msg


Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Re: DCom RPC attack response sig (CK Ng)

--__--__--

Message: 1
From: "CK Ng" <ckng at ...1745...>
To: "Esler, Joel  Contractor" <joel.esler at ...783...>,
   <snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] DCom RPC attack response sig
Date: Fri, 8 Aug 2003 10:39:10 +0800

Tested few exploits, but none of the rules below is triggered..
Checking throught the packets, wondering how you get the content signature??

Any suggestion??

Regards,
CK Ng

----- Original Message ----- 
From: "Esler, Joel Contractor" <joel.esler at ...783...>

<..snip..>
alert tcp any any -> any any (msg:"Suspected RPC DCOM System Shell Exploit
Responce"; flow:from_server,established; flags: PA; content:"|4d 69 63 72 6f
73 6f 66 74 20 57 69 63 64 6f 77 73|"; classtype:successful-admin;)
alert tcp any 135 -> any any (msg:"Suspected RPC DCOM Successful Shell
Exploit Response"; flags: F+; content:"|80 11 fa f0|";
classtype:successful-admin;)
alert tcp any any -> any any (msg:"RPC DCOM Shell Generation"; flags: S+;
content:"|00 00 02 04 05 b4 04 02 08 0a|"; classtype:successful-admin;)






--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest




More information about the Snort-sigs mailing list