[Snort-sigs] quick rules for new dcom stuff

Johnathan Norman jnorman at ...1256...
Thu Sep 11 06:33:34 EDT 2003


On Thu, 11 Sep 2003, David Wilburn wrote:

> Johnathan Norman wrote:
>
> >I wrote these at 4am so I am sure they could be a lot better.
> >
> >These rules worked for the nessus scanner, microsoft scan tool, and eeye's
> >scanner. So far I have not seen any FP's but who knows.. if your snort box
> >explodes don't blame me. SID 2192 also picks up this traffic..
> >
> >alert tcp any any -> any 135 (content:"|05 00 00 03 10 00 00 00 48 00 00 00 13 00 00 00 90 00 00 00 01 00 03 00 05 00 06 01 00 00 00 00 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
> >31 31 31 31 31 31 31 31 31 31 31|"; msg: "NetBios RPC DCOM DOS Attempt(Xforce.net code)"; rev:1; sid:1000030;)
> >alert tcp any any -> any 135 (content:"|eb 1c c9 11 9f e8 08 00 2b 10 48
> >60 02 00 00 00|"; msg: "NetBios DCERPC exploit attempt (req 3)"; rev:1; sid:1000028;)
> >alert tcp any any -> any 135 (content:"|58 e9 98 00 01 00 00 00 95 96 95
> >2a 8c da 6d 4a b236 19bc af2c 2dea 0100 0000 0100 0000 5c00|"; msg: "NetBios malformed DCERPC DCOM object activation request (4)"; rev: 1;sid:1000029;)
> >
> >
>
> Correct me if I'm wrong, but I believe these scan tools check for all of
> the known RPC vulnerabilities, including both MS03-026 and MS03-039.
>  This would mean that a scan for the older RPC vulnerability would occur
> alongside the newer ones, and would naturally be detected by the older
> signature.  That does not necessarily mean that a scan tool or exploit
> designed to scan only for the newer vulnerabilities would be detected by
> these sigs, though.  Is your rule detecting scans for the new vulns, or
> the older one, or both?  What about SID 2192?
>
>

mine pick up the new scans. sid 2192 alerts on the older. All 3 will
alert using the MS scan tool.

and of course the DOS rule is based on the xforce.net exploit code.. so it
only alerts if that code is used.  You can find it at
http://www.k-otik.com/exploits/07.21.win2kdos.c.php

I basicly just took traffic dumps of from the scanners and wrote rules
based on the payloads and what I think is going on ... I could be way off
:)

Johnathan



>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list