[Snort-sigs] quick rules for new dcom stuff

Johnathan Norman jnorman at ...1256...
Thu Sep 11 03:13:27 EDT 2003


I wrote these at 4am so I am sure they could be a lot better.

These rules worked for the nessus scanner, microsoft scan tool, and eeye's
scanner. So far I have not seen any FP's but who knows.. if your snort box
explodes don't blame me. SID 2192 also picks up this traffic..

alert tcp any any -> any 135 (content:"|05 00 00 03 10 00 00 00 48 00 00 00 13 00 00 00 90 00 00 00 01 00 03 00 05 00 06 01 00 00 00 00 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
31 31 31 31 31 31 31 31 31 31 31|"; msg: "NetBios RPC DCOM DOS Attempt(Xforce.net code)"; rev:1; sid:1000030;)
alert tcp any any -> any 135 (content:"|eb 1c c9 11 9f e8 08 00 2b 10 48
60 02 00 00 00|"; msg: "NetBios DCERPC exploit attempt (req 3)"; rev:1; sid:1000028;)
alert tcp any any -> any 135 (content:"|58 e9 98 00 01 00 00 00 95 96 95
2a 8c da 6d 4a b236 19bc af2c 2dea 0100 0000 0100 0000 5c00|"; msg: "NetBios malformed DCERPC DCOM object activation request (4)"; rev: 1;sid:1000029;)


Johnathan Norman, SCNA,CCSP,ISSP,GCIA
Network Security Analyst
Alert Logic, Inc.
jnorman at ...1256... / jnorman-pager at ...1256...
Office: 713-484-8383




More information about the Snort-sigs mailing list