[Snort-sigs] NETBIOS DCERPC ISystemActivator bind attempt

d'Ambly, Jeff jdambly at ...1900...
Thu Sep 25 08:30:16 EDT 2003


Has anyone found a false positive for the NETBIOS DCERPC ISystemActivator
bind attempt rule? I have a machine that is constantly matching this rule,
but I ran the Symantec tools to look for the MS blast worm and it found
nothing.
 
Here is what my rule looks like
 
alert tcp any any -> any 135 (msg:"NETBIOS DCERPC ISystemActivator bind
attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29;
within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192;
rev:1;)
 
and here is the packet that was captured, could this be normal traffic?
 
05 00 0B 03 10 00 00 00 7C 00 2C 00 02 00 00 00   ........|.,.....
D0 16 D0 16 59 08 01 00 01 00 00 00 01 00 01 00   ....Y...........
A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46   ...............F
00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
2B 10 48 60 02 00 00 00 0A 02 00 00 D0 5B 0B 00   +.H`.........[..
4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 00 A0   NTLMSSP.........
03 00 03 00 29 00 00 00 09 00 09 00 20 00 00 00   ....)....... ...
46 49 53 48 42 4F 57 4C 31 44 45 56               FISHBOWL1DEV 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030925/00cd0f78/attachment.html>


More information about the Snort-sigs mailing list