FW: [Snort-sigs] DCom RPC attack response sig

Chris Kronberg smil at ...1754...
Tue Aug 12 11:39:05 EDT 2003


On Tue, 12 Aug 2003, Tech wrote:

>
> That rule will only show when people are trying to exploit a machine, right
> ?

  As long as something is listening on port 135 - right.

> If so, i would rather see a rule that shows that a machine is infected, like
> when it tries to get that file whatever it was called.

  Using the vice versa direction? Once a machine is infected it will
  try to infect others.

alert tcp $HOME_NET any -> $EXTERNAL 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \ content:!"|5C|"; within:32; \
flow:to_server,established; \
reference:bugtraq,8205; rev: 1; )

  The other possibility that comes to mind is to fetch for the tftp
  upload (trigger for "GET msblast.exe").

  Anyone knows more about that DoS?

  Cheers,


                                                             Chris.
-- 
Agleia Free World






More information about the Snort-sigs mailing list