FW: [Snort-sigs] DCom RPC attack response sig

Bennett Todd bet at ...654...
Tue Aug 12 12:45:05 EDT 2003


2003-08-12T14:36:39 Chris Kronberg:
>   Using the vice versa direction? Once a machine is infected it will
>   try to infect others.
> 
> alert tcp $HOME_NET any -> $EXTERNAL 135 \
> (msg:"DCE RPC Interface Buffer Overflow Exploit"; \
> content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; \
> flow:to_server,established; \
> reference:bugtraq,8205; rev: 1; )

s/$EXTERNAL/$EXTERNAL_NET/?

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030812/31a7ab7b/attachment.sig>


More information about the Snort-sigs mailing list