[Snort-sigs] Rule for the newest DCOM vulnerability?

Brian bmc at ...95...
Thu Sep 11 12:47:08 EDT 2003


On Wed, Sep 10, 2003 at 10:02:47PM -0500, Compton, Rich wrote:
> Anyone have a new rule for the newest Microsoft DCOM vulnerability
> (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/M
> S03-039.asp) that eEye just discovered
> (http://www.eeye.com/html/Research/Advisories/AD20030910.html)?

Right now, the only pointer I've been able to come up with is looking
for the System Activator bind attempt.  These were commited today, but
sourceforge delay = post to here as well.
  
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; reference:cve,CAN-2003-0352; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp; reference:cve,CAN-2003-0715; sid:2251; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; classtype:attempted-admin; reference:cve,CAN-2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp; reference:cve,CAN-2003-0715; sid:2252; rev:2;)




More information about the Snort-sigs mailing list