[Snort-sigs] DCom RPC attack response sig
michael_anuzis at ...12...
Tue Jul 29 06:26:12 EDT 2003
Hey; I noticed there were a few posts in the past regarding this new DCom
RPC attack + some uncertainty was made regarding the effectiveness of the
sigs. I haven't checked the old sigs submitted, but I wrote my own sig and
have tested that it works just fine. It simply watches for the hex used to
display the command prompt returning to the hacker connecting on port 4444.
The sig was set up so it would work both on a windows-snort implementation
on the actual host getting hacked, or in my case detect it also from an
openbsd-IDS next to it via hub. The sig is as follows:
alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC
System Shell Exploit Response"; flow:from_server,established; content:"|3a
5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)
Hope this helps for those that were unsure.
Michael Anuzis, CCNA
Network Security Consultant
CTO, Anuzis Networking Inc.
Protect your PC - get McAfee.com VirusScan Online
More information about the Snort-sigs