FW: [Snort-sigs] DCom RPC attack response sig

Tech tech at ...1753...
Tue Aug 12 10:21:02 EDT 2003


That rule will only show when people are trying to exploit a machine, right
?

If so, i would rather see a rule that shows that a machine is infected, like
when it tries to get that file whatever it was called.



-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Pogue
Sent: den 12 augusti 2003 07:56
To: snort-sigs at lists.sourceforge.net
Subject: Re: FW: [Snort-sigs] DCom RPC attack response sig

Symantec[0] reports the following signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \ (msg:"DCE RPC Interface
Buffer Overflow Exploit"; \ content:"|00 5C 00 5C|"; \ content:!"|5C|";
within:32; \ flow:to_server,established; \ reference:bugtraq,8205; rev: 1; )



[0]
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf 

> 
> -----Original Message-----
> From: CK Ng [mailto:ckng at ...1745...]
> Sent: Friday, August 08, 2003 11:39 AM
> To: Esler, Joel Contractor; snort-sigs at lists.sourceforge.net
> 
> Tested few exploits, but none of the rules below is triggered..
> Checking throught the packets, wondering how you get the content
signature??
> 
> Any suggestion??
> 
> Regards,
> CK Ng
> 
> ----- Original Message -----
> From: "Esler, Joel Contractor" <joel.esler at ...783...>
> 
> <..snip..>
> alert tcp any any -> any any (msg:"Suspected RPC DCOM System Shell 
> Exploit Responce"; flow:from_server,established; flags: PA; 
> content:"|4d 69
> 63 72 6f 73 6f 66 74 20 57 69 63 64 6f 77 73|"; classtype:successful-
> admin;) alert tcp any 135 -> any any (msg:"Suspected RPC DCOM 
> Successful Shell Exploit Response"; flags: F+; content:"|80 11 fa 
> f0|";
> classtype:successful-admin;)
> alert tcp any any -> any any (msg:"RPC DCOM Shell Generation";
> flags: S+; content:"|00 00 02 04 05 b4 04 02 08 0a|";
> classtype:successful-admin;)
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including 
> Data Reports, E-commerce, Portals, and Forums are available now. 
> Download today and enter to win an XBOX or Visual Studio .NET. 
> http://aspnet.click-
url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
------- End of Original Message -------



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data
Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs








More information about the Snort-sigs mailing list