[Snort-sigs] DCOM MS03-026 Alpha Rules

Paul Tinsley pdt at ...1716...
Mon Jul 28 21:58:04 EDT 2003


I have no idea what my web mail client did to those poor signatures but here
goes again from a real client as an attachment.

And if that doesn't work here is a link:
http://jackhammer.org/rules/dcom.rules

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
pdt at ...1716...
Sent: Monday, July 28, 2003 8:54 PM
To: snort-sigs at lists.sourceforge.net

Hey guys,
    I came up with these a little while ago and at least with the dcom.c
that is freely available this seems to catch each variation pretty
well.  I am wondering about false positives and other variations.  I
would appreciate some testing of these rules if anybody is up for it
:)  Any feedback would be greatly appreciated.  A few minutes ago I
saw an 18 target version of the exploit floating around, but don't
have time to test it, maybe tomorrow.

Thanks,
    Paul Tinsley

P.S. - There is some documentation at the jackhammer.org reference.

Each of the target (English) platforms:
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100001;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100001; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100002;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100002; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100003;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100003; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100004;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100004; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100005;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100005; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100006;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100006; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|";
classtype:attempted-admin; sid:1100007;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100007; rev:1;)

A more "generic" rule to try and catch variations that might affect other
language platforms and opcodes not currently known.
Not too sure how well this one will work out in the long run, but am
giving it out for those who might want it, instead of 7 rules:
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) generic dcom.c
rule"; content:"|5c 00 5c 00 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58
00|"; content: "|77 cc e0 fd 7f cc e0 fd 7f|";  classtype:attempted-admin;
sid:1100008;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/snort/rules/1100008; rev:1;)



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dcom.rules
Type: a/octet-stream
Size: 2779 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030728/e5102f38/attachment.bin>


More information about the Snort-sigs mailing list