[Snort-sigs] Possible new strain of Blaster or is it a false positive?

Marty.Bostick at ...495... Marty.Bostick at ...495...
Fri Aug 22 13:27:15 EDT 2003




Could someone please verify that the following signatures do not cause
false positive alerts with printing?  If they do not, I may be seeing
something new!

Thanks

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"NETBIOS DCERPC ISystemActivator bind attempt"; \
flow:to_server,established; content:"|05|"; distance:0; \
within:1; content:"|0b|"; distance:1; within:1; \
byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00
00 00 00 46|";\
distance:29; within:16; reference:cve,CAN-2003-0352;\
classtype:attempted-admin; sid:2192; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \
(msg:"NETBIOS DCERPC ISystemActivator bind attempt"; \
flow:to_server,established; content:"|05|"; distance:0; \
within:1; content:"|0b|"; distance:1; within:1; \
byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00
00 00 00 46|";\
distance:29; within:16; reference:cve,CAN-2003-0352;\
classtype:attempted-admin; sid:2192; rev:1;)

Marty Bostick


-----------------------------------------
Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you.





More information about the Snort-sigs mailing list