FW: [Snort-sigs] DCom RPC attack response sig

Pogue pogue at ...1749...
Tue Aug 12 08:36:49 EDT 2003


Symantec[0] reports the following signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \
content:!"|5C|"; within:32; \
flow:to_server,established; \
reference:bugtraq,8205; rev: 1; )



[0] https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf 

> 
> -----Original Message-----
> From: CK Ng [mailto:ckng at ...1745...] 
> Sent: Friday, August 08, 2003 11:39 AM
> To: Esler, Joel Contractor; snort-sigs at lists.sourceforge.net
> 
> Tested few exploits, but none of the rules below is triggered..
> Checking throught the packets, wondering how you get the content signature??
> 
> Any suggestion??
> 
> Regards,
> CK Ng
> 
> ----- Original Message ----- 
> From: "Esler, Joel Contractor" <joel.esler at ...783...>
> 
> <..snip..>
> alert tcp any any -> any any (msg:"Suspected RPC DCOM System Shell Exploit
> Responce"; flow:from_server,established; flags: PA; content:"|4d 69 
> 63 72 6f 73 6f 66 74 20 57 69 63 64 6f 77 73|"; classtype:successful-
> admin;) alert tcp any 135 -> any any (msg:"Suspected RPC DCOM 
> Successful Shell Exploit Response"; flags: F+; content:"|80 11 fa f0|";
> classtype:successful-admin;)
> alert tcp any any -> any any (msg:"RPC DCOM Shell Generation"; 
> flags: S+; content:"|00 00 02 04 05 b4 04 02 08 0a|"; 
> classtype:successful-admin;)
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites 
> including Data Reports, E-commerce, Portals, and Forums are 
> available now. Download today and enter to win an XBOX or Visual 
> Studio .NET. http://aspnet.click-
url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
------- End of Original Message -------





More information about the Snort-sigs mailing list