[Snort-sigs] dce rpc rules

Dale L. Handy dhandy at ...1244...
Thu Jul 24 15:32:02 EDT 2003


I was looking at these rules, and at Microsoft's documentation on this 
vulnerability.  It appears that the attack can be made via both TCP and 
UDP, since RPC answers on both.

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Should there then be rules for both TCP and UDP?  I assume (and I know 
that is not safe, since I haven't burrowed into the issue any further 
than to read the above article) that the body would be the same, just a 
different protocol.


Brian wrote:

>Damn sourceforge. 
>
>I wrote & released rules for the DCERPC invalid bind DOS seen here:
>
>http://www.securityfocus.com/archive/1/329755/2003-07-18/2003-07-24/0
>
>Since you won't get these till tommorow at the earliest, they are
>listed below.
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;) 
>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;)
>
>PS, if you see alerts on these, please send me pcap.
>
>-brian
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: VM Ware
>With VMware you can run multiple operating systems on a single machine.
>WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
>same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>  
>

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dhandy at ...1244...
   http://www.nitrodata.com







More information about the Snort-sigs mailing list