FW: [Snort-sigs] DCom RPC attack response sig

Sewell, Michael K sewe3547 at ...1239...
Wed Aug 13 05:24:10 EDT 2003


I've seen associated activity with machines scanning for port 4444; looks
like as a 'scanning' machine connects successfully to port 135 it then
attempts a connect to port 4444 (and I haven't seen a successful connect to
port 4444. Guess I could fake it and see). Not sure if this is an indication
of an infected machine or just a machine that is one step away from getting
infected (searching for the payload). Anyone have any insight into this?

-mks


-----Original Message-----
From: Bennett Todd [mailto:bet at ...654...]
Sent: Tuesday, August 12, 2003 1:54 PM
To: Chris Kronberg
Cc: Tech; snort-sigs at lists.sourceforge.net
Subject: Re: FW: [Snort-sigs] DCom RPC attack response sig


2003-08-12T14:36:39 Chris Kronberg:
>   Using the vice versa direction? Once a machine is infected it will
>   try to infect others.
> 
> alert tcp $HOME_NET any -> $EXTERNAL 135 \
> (msg:"DCE RPC Interface Buffer Overflow Exploit"; \
> content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; \
> flow:to_server,established; \
> reference:bugtraq,8205; rev: 1; )

s/$EXTERNAL/$EXTERNAL_NET/?

-Bennett




More information about the Snort-sigs mailing list