[Fwd: [Snort-sigs] dce rpc rules]

Kevin Pietersma Kevin.Pietersma at ...1704...
Fri Jul 25 08:21:06 EDT 2003


Jason had initially referred me to the same signatures as you did but the primary rule maintainer (Brian @ snort) has corrected him that these are actually different.  This kind of begs the question of, we now know they are different... but in what way and is there a signature in the works for all four ports?

kev

>>> Jason <security at ...704...> 07/24/03 03:14pm >>>
Apologies, bmc has corrected me after I incorrectly assumed that these 
were related They are different.

Kevin Pietersma wrote:

> Thanks, greatly appreciated and now I noticed they were in the latest signatures.  I searched for the CVE and the bugtraq references... which aren't there.  Noticed these aren't looking at ports 139 or 593 as reported by securityfocus (http://www.securityfocus.com/bid/8205/discussion/). Are there other signatures for these two that I've missed?
> 
> Regards,
> kev
> 
> P.S.  Please feel free to respond and include the list.  I haven't, since you replied off list and I respect your wish if you'd rather it was not copied there.  Or it may simply have been an oversight.
> 
> 
>>>>Jason <security at ...704...> 07/24/03 01:01pm >>>
> 
> here ya go.
> 
> 
> 
> -------- Original Message --------
> Subject:     [Snort-sigs] dce rpc rules
> Date:     Mon, 21 Jul 2003 18:19:31 -0400
> From:     Brian <bmc at ...95...>
> To:     snort-sigs <snort-sigs at lists.sourceforge.net>
> 
> 
> 
> Damn sourceforge. 
> 
> I wrote & released rules for the DCERPC invalid bind DOS seen here:
> 
> http://www.securityfocus.com/archive/1/329755/2003-07-18/2003-07-24/0
> 
> Since you won't get these till tommorow at the earliest, they are
> listed below.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;) 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;)
> 
> PS, if you see alerts on these, please send me pcap.
> 
> -brian
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> ------------------------------------------------------------------------
> 
> Thanks, greatly appreciated and now I noticed they were in the latest 
> signatures.  I searched for the CVE and the bugtraq references... which aren't 
> there.  Noticed these aren't looking at ports 139 or 593 as reported by 
> securityfocus (http://www.securityfocus.com/bid/8205/discussion/). Are there 
> other signatures for these two that I've missed?
>  
> Regards,
> kev
>  
> P.S.  Please feel free to respond and include the list.  I haven't, since you 
> replied off list and I respect your wish if you'd rather it was not copied 
> there.  Or it may simply have been an oversight.
> 
>  >>> Jason <security at ...704...> 07/24/03 01:01pm >>>
> here ya go.
> 
> 
> 
> -------- Original Message --------
> Subject:     [Snort-sigs] dce rpc rules
> Date:     Mon, 21 Jul 2003 18:19:31 -0400
> From:     Brian <bmc at ...95...>
> To:     snort-sigs <snort-sigs at lists.sourceforge.net>
> 
> 
> 
> Damn sourceforge.
> 
> I wrote & released rules for the DCERPC invalid bind DOS seen here:
> 
> http://www.securityfocus.com/archive/1/329755/2003-07-18/2003-07-24/0
> 
> Since you won't get these till tommorow at the earliest, they are
> listed below.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind 
> attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; 
> content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; 
> content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid 
> bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; 
> offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 
> 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; 
> distance:2; within:1; content:"|0b|"; distance:1; within:1; 
> byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; 
> classtype:attempted-dos; sid:2191; rev:1;)
> 
> PS, if you see alerts on these, please send me pcap.
> 
> -brian
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030725/ed42108e/attachment.htm>


More information about the Snort-sigs mailing list