[Snort-sigs] Rule for the newest DCOM vulnerability?

Compton, Rich RCompton at ...1352...
Thu Sep 11 12:49:36 EDT 2003


Brian, I think you've got a typo in your url reference.  You've got:
www.microsoft.com/technet/security/bulletin/MS03-029.asp
and it should be a 39 at the end there:
www.microsoft.com/technet/security/bulletin/MS03-039.asp

-Rich Compton

-----Original Message-----
From: Brian [mailto:bmc at ...95...]
Sent: Thursday, September 11, 2003 2:28 PM
To: Compton, Rich
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Rule for the newest DCOM vulnerability?


On Wed, Sep 10, 2003 at 10:02:47PM -0500, Compton, Rich wrote:
> Anyone have a new rule for the newest Microsoft DCOM vulnerability
>
(http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/M
> S03-039.asp) that eEye just discovered
> (http://www.eeye.com/html/Research/Advisories/AD20030910.html)?

Right now, the only pointer I've been able to come up with is looking
for the System Activator bind attempt.  These were commited today, but
sourceforge delay = post to here as well.
  
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote
Activation bind attempt"; content:"|05|"; distance:0; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29;
within:16; tag:session,5,packets; reference:cve,CAN-2003-0352;
classtype:attempted-admin;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp;
reference:cve,CAN-2003-0715; sid:2251; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Remote
Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|";
nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2;
content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12;
content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF
6E 7C 57|"; distance:29; within:16; tag:session,5,packets;
classtype:attempted-admin; reference:cve,CAN-2003-0352;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-029.asp;
reference:cve,CAN-2003-0715; sid:2252; rev:2;)




More information about the Snort-sigs mailing list