FW: [Snort-sigs] DCom RPC attack response sig

Chris Kronberg smil at ...1754...
Wed Aug 13 00:33:08 EDT 2003


On Tue, 12 Aug 2003, Bennett Todd wrote:
> 2003-08-12T14:36:39 Chris Kronberg:
> >   Using the vice versa direction? Once a machine is infected it will
> >   try to infect others.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL 135 \
> > (msg:"DCE RPC Interface Buffer Overflow Exploit"; \
> > content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; \
> > flow:to_server,established; \
> > reference:bugtraq,8205; rev: 1; )
>
> s/$EXTERNAL/$EXTERNAL_NET/?

  You are right. :-) It's been too hot all day.
  Probably even better will be  "$HOME_NET any -> any 135",
  when loking at the way the worm builds its target IP
  addresses.

  Cheers,

                                                   Chris.

-- 
Agleia Free World





More information about the Snort-sigs mailing list