[Snort-sigs] DCOM MS03-026 Alpha Rules

Brian bmc at ...95...
Tue Jul 29 09:11:04 EDT 2003


>     I came up with these a little while ago and at least with the dcom.c
> that is freely available this seems to catch each variation pretty
> well.  I am wondering about false positives and other variations.  I
> would appreciate some testing of these rules if anybody is up for it
> :)  Any feedback would be greatly appreciated.  A few minutes ago I
> saw an 18 target version of the exploit floating around, but don't
> have time to test it, maybe tomorrow.


Unfortunately, these are trivially evadable.  The one thing I've seen
unique to the exploits is the service it binds to.

I released these rules that look for the service being accessed.  These
are not great, but at least its not trivial to evade.

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1;)

-brian




More information about the Snort-sigs mailing list