[Snort-sigs] dce rpc rules

Brian bmc at ...95...
Mon Jul 21 15:21:27 EDT 2003


Damn sourceforge. 

I wrote & released rules for the DCERPC invalid bind DOS seen here:

http://www.securityfocus.com/archive/1/329755/2003-07-18/2003-07-24/0

Since you won't get these till tommorow at the earliest, they are
listed below.

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;)

PS, if you see alerts on these, please send me pcap.

-brian




More information about the Snort-sigs mailing list