[Snort-sigs] quick rules for new dcom stuff

Nick.Cross at ...1874... Nick.Cross at ...1874...
Mon Sep 15 05:50:02 EDT 2003


>So far I have not seen any FP's but who knows.. if your snort box
>explodes don't blame me.

I won't, It's my fault if I copy and paste your rule in to my rulebase. =)

>alert tcp any any -> any 135 \
>(content:"|eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00|"; msg:
"NetBios DCERPC \
>exploit attempt (req 3)"; rev:1; sid:1000028;)

But the above rule is kicking off a lot of FPs, on the company's win2k
Active Directory Domain.  Its seems the rule only fires when W2k AD DCs
chat to other AD DCs. I think that the packets are from standard win2k
authentication setup. link:
http://www.thetechfirm.com/microsoft/win2kauth.pdf  but I'm not 100% sure.

cheers,

Nick.

examples for your comparision;

152 2003-09-15 12:30:56.832496 159.199.85.25 -> 159.199.243.18 DCERPC Bind:
call_id: 1 UUID: EPM

0000  00 08 21 5b 3f 00 00 00 e2 9b fb 24 08 00 45 00   ..![?......$..E.
0010  00 70 fd 26 40 00 80 06 75 a6 9f c7 55 19 9f c7   .p.&@...u...U...
0020  f3 12 0f 1e 00 87 68 5a 31 2b e5 e6 92 8d 50 18   ......hZ1+....P.
0030  ff ff 93 03 00 00 05 00 0b 03 10 00 00 00 48 00   ..............H.
0040  00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
0050  00 00 00 00 01 00 08 83 af e1 1f 5d c9 11 91 a4   ...........]....
0060  08 00 2b 14 a0 fa 03 00 00 00 04 5d 88 8a eb 1c   ..+........]....
0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....

153 2003-09-15 12:31:00.878823 159.199.243.33 -> 159.199.85.33 DCERPC Bind:
call_id: 1 UUID: EPM

0000  00 00 e2 9b fa 66 00 08 21 5b 3f 00 08 00 45 00   .....f..![?...E.
0010  00 70 36 3c 40 00 7e 06 3e 7a 9f c7 f3 21 9f c7   .p6<@.~.>z...!..
0020  55 21 11 26 00 87 d6 f6 a3 cd d8 be d5 0c 50 18   U!.&..........P.
0030  ff ff 7a 4e 00 00 05 00 0b 03 10 00 00 00 48 00   ..zN..........H.
0040  00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
0050  00 00 00 00 01 00 08 83 af e1 1f 5d c9 11 91 a4   ...........]....
0060  08 00 2b 14 a0 fa 03 00 00 00 04 5d 88 8a eb 1c   ..+........]....
0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....

154 2003-09-15 12:31:00.884219 159.199.85.33 -> 159.199.243.33 DCERPC Bind:
call_id: 1 UUID: EPM

0000  00 08 21 5b 3f 00 00 00 e2 9b fa 66 08 00 45 00   ..![?......f..E.
0010  00 70 0b 64 40 00 80 06 67 52 9f c7 55 21 9f c7   .p.d at ...1875...!..
0020  f3 21 10 1c 00 87 d8 bf 88 2c d6 f7 85 b7 50 18   .!.......,....P.
0030  ff ff e6 4c 00 00 05 00 0b 03 10 00 00 00 48 00   ...L..........H.
0040  00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
0050  00 00 00 00 01 00 08 83 af e1 1f 5d c9 11 91 a4   ...........]....
0060  08 00 2b 14 a0 fa 03 00 00 00 04 5d 88 8a eb 1c   ..+........]....
0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....



---
Nicholas Cross
Network Consultant
UK IT
FUJITSU CONSULTING
51 Homer Road
Solihull
West Midlands
p: +44-121-220-6601
f:  +44-121-220-6001
www.consulting.fujitsu.com






More information about the Snort-sigs mailing list