[Snort-sigs] snort-rules CURRENT update @ Mon Dec 1 13:15:17 2003

bmc at ...95... bmc at ...95...
Mon Dec 1 10:16:10 EST 2003


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|04 00|"; distance:0; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2258; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2257; rev:1;)





More information about the Snort-sigs mailing list