FW: [Snort-sigs] DCom RPC attack response sig
smil at ...1754...
Wed Aug 13 00:33:08 EDT 2003
On Tue, 12 Aug 2003, Bennett Todd wrote:
> 2003-08-12T14:36:39 Chris Kronberg:
> > Using the vice versa direction? Once a machine is infected it will
> > try to infect others.
> > alert tcp $HOME_NET any -> $EXTERNAL 135 \
> > (msg:"DCE RPC Interface Buffer Overflow Exploit"; \
> > content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; \
> > flow:to_server,established; \
> > reference:bugtraq,8205; rev: 1; )
You are right. :-) It's been too hot all day.
Probably even better will be "$HOME_NET any -> any 135",
when loking at the way the worm builds its target IP
Agleia Free World
More information about the Snort-sigs