[Snort-sigs] NETBIOS DCERPC ISystemActivator bind attempt

Sir Fenix claudus at ...1903...
Thu Sep 25 10:08:10 EDT 2003


Hi Jeff,

Few days ago I was in the same situation, I got a lot of false positives 
  in normal use of my machines, that was the only rule that triggered 
off related to the blaster worm. So I had to disable it.

Just a comment.

d'Ambly, Jeff wrote:

> Has anyone found a false positive for the NETBIOS DCERPC 
> ISystemActivator bind attempt rule? I have a machine that is constantly 
> matching this rule, but I ran the Symantec tools to look for the MS 
> blast worm and it found nothing.
> 
>  
> 
> Here is what my rule looks like
> 
>  
> 
> alert tcp any any -> any 135 (msg:"NETBIOS DCERPC ISystemActivator bind 
> attempt"; flow:to_server,established; content:"|05|"; distance:0; 
> within:1; content:"|0b|"; distance:1; within:1; 
> byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 
> 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; 
> classtype:attempted-admin; sid:2192; rev:1;)
> 
>  
> 
> and here is the packet that was captured, could this be normal traffic?
> 
>  
> 
> 05 00 0B 03 10 00 00 00 7C 00 2C 00 02 00 00 00   ........|.,.....
> 
> D0 16 D0 16 59 08 01 00 01 00 00 00 01 00 01 00   ....Y...........
> 
> A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46   ...............F
> 
> 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
> 
> 2B 10 48 60 02 00 00 00 0A 02 00 00 D0 5B 0B 00   +.H`.........[..
> 
> 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 00 A0   NTLMSSP.........
> 
> 03 00 03 00 29 00 00 00 09 00 09 00 20 00 00 00   ....)....... ...
> 
> 46 49 53 48 42 4F 57 4C 31 44 45 56               FISHBOWL1DEV
> 





More information about the Snort-sigs mailing list