[Snort-sigs] quick rules for new dcom stuff

David Wilburn dwilburn at ...8...
Thu Sep 11 04:04:05 EDT 2003


Johnathan Norman wrote:

>I wrote these at 4am so I am sure they could be a lot better.
>
>These rules worked for the nessus scanner, microsoft scan tool, and eeye's
>scanner. So far I have not seen any FP's but who knows.. if your snort box
>explodes don't blame me. SID 2192 also picks up this traffic..
>
>alert tcp any any -> any 135 (content:"|05 00 00 03 10 00 00 00 48 00 00 00 13 00 00 00 90 00 00 00 01 00 03 00 05 00 06 01 00 00 00 00 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
>31 31 31 31 31 31 31 31 31 31 31|"; msg: "NetBios RPC DCOM DOS Attempt(Xforce.net code)"; rev:1; sid:1000030;)
>alert tcp any any -> any 135 (content:"|eb 1c c9 11 9f e8 08 00 2b 10 48
>60 02 00 00 00|"; msg: "NetBios DCERPC exploit attempt (req 3)"; rev:1; sid:1000028;)
>alert tcp any any -> any 135 (content:"|58 e9 98 00 01 00 00 00 95 96 95
>2a 8c da 6d 4a b236 19bc af2c 2dea 0100 0000 0100 0000 5c00|"; msg: "NetBios malformed DCERPC DCOM object activation request (4)"; rev: 1;sid:1000029;)
>  
>

Correct me if I'm wrong, but I believe these scan tools check for all of 
the known RPC vulnerabilities, including both MS03-026 and MS03-039. 
 This would mean that a scan for the older RPC vulnerability would occur 
alongside the newer ones, and would naturally be detected by the older 
signature.  That does not necessarily mean that a scan tool or exploit 
designed to scan only for the newer vulnerabilities would be detected by 
these sigs, though.  Is your rule detecting scans for the new vulns, or 
the older one, or both?  What about SID 2192?






More information about the Snort-sigs mailing list