FW: [Snort-sigs] DCom RPC attack response sig
smil at ...1754...
Tue Aug 12 11:39:05 EDT 2003
On Tue, 12 Aug 2003, Tech wrote:
> That rule will only show when people are trying to exploit a machine, right
As long as something is listening on port 135 - right.
> If so, i would rather see a rule that shows that a machine is infected, like
> when it tries to get that file whatever it was called.
Using the vice versa direction? Once a machine is infected it will
try to infect others.
alert tcp $HOME_NET any -> $EXTERNAL 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \ content:!"|5C|"; within:32; \
reference:bugtraq,8205; rev: 1; )
The other possibility that comes to mind is to fetch for the tftp
upload (trigger for "GET msblast.exe").
Anyone knows more about that DoS?
Agleia Free World
More information about the Snort-sigs