[Snort-sigs] Re: Snort-sigs digest, Vol 1 #658 - 11 msgs

Zultan zultan at ...1298...
Thu Jul 31 03:30:02 EDT 2003


Brian,

Saw a dcom.c attack last night and neither of the DCERPC rules below hit.  However, these two rules did.  SHEELLCODE hit first and the generic rule was second.  And as reported elsewhere, the system logs showed svchost.exe crashed, even though they were patched.

alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM port 135 exploit"; content:"|93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B D7 3A|"; classtype:shellcode-detect;)

alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) generic dcom.c rule"; content:"|5c 00 5c 00 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00|"; content: "|77 cc e0 fd 7f cc e0 fd 7f|";  classtype:attempted-admin; sid:1100008; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/snort/rules/1100008; rev:1;)

Zultan

> 
> Message: 1
> Date: Wed, 30 Jul 2003 02:20:05 -0400
> To: snort-sigs at lists.sourceforge.net
> From: bmc at ...95...
> Subject: [Snort-sigs] snort-rules STABLE update @ Wed Jul 30 02:20:05 2003
> 
> 
> This rule update was brought to you by Oinkmaster.
> 
> [*] Rule modifications: [*]
> 
>   [+++]           Added:           [+++]
> 
>      file -> netbios.rules
>      alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1;)
>      alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
> 
> 
> 

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers





More information about the Snort-sigs mailing list