FW: [Snort-sigs] DCom RPC attack response sig

Chris Kronberg smil at ...1754...
Tue Aug 12 11:39:05 EDT 2003

On Tue, 12 Aug 2003, Tech wrote:

> That rule will only show when people are trying to exploit a machine, right
> ?

  As long as something is listening on port 135 - right.

> If so, i would rather see a rule that shows that a machine is infected, like
> when it tries to get that file whatever it was called.

  Using the vice versa direction? Once a machine is infected it will
  try to infect others.

alert tcp $HOME_NET any -> $EXTERNAL 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \ content:!"|5C|"; within:32; \
flow:to_server,established; \
reference:bugtraq,8205; rev: 1; )

  The other possibility that comes to mind is to fetch for the tftp
  upload (trigger for "GET msblast.exe").

  Anyone knows more about that DoS?


Agleia Free World

More information about the Snort-sigs mailing list