[Snort-sigs] NETBIOS DCERPC ISystemActivator bind attempt

Ian Boje kc0itq at ...1904...
Thu Sep 25 13:13:06 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You might try looknig for the Welcia worm also (assuming you only checked 
for the MSBlaster worm using the tool provided on the website).

You can look for the a process running called "DLLHOST.EXE" or 
"MSBLAST.EXE" in your task manager.  If they exist, there might be a 
chance you have it.

On Thu, 25 Sep 2003, d'Ambly, Jeff wrote:

> Has anyone found a false positive for the NETBIOS DCERPC ISystemActivator
> bind attempt rule? I have a machine that is constantly matching this rule,
> but I ran the Symantec tools to look for the MS blast worm and it found
> nothing.
>  
> Here is what my rule looks like
>  
> alert tcp any any -> any 135 (msg:"NETBIOS DCERPC ISystemActivator bind
> attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1;
> content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
> content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29;
> within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192;
> rev:1;)
>  
> and here is the packet that was captured, could this be normal traffic?
>  
> 05 00 0B 03 10 00 00 00 7C 00 2C 00 02 00 00 00   ........|.,.....
> D0 16 D0 16 59 08 01 00 01 00 00 00 01 00 01 00   ....Y...........
> A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46   ...............F
> 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
> 2B 10 48 60 02 00 00 00 0A 02 00 00 D0 5B 0B 00   +.H`.........[..
> 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 00 A0   NTLMSSP.........
> 03 00 03 00 29 00 00 00 09 00 09 00 20 00 00 00   ....)....... ...
> 46 49 53 48 42 4F 57 4C 31 44 45 56               FISHBOWL1DEV 
> 

- -- 
Ian Boje
KC0ITQ
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE/c0v7eYi9Pai6l90RAmEqAJ4ytsWla+f1W2teHtC2+8bdqqmPNQCfTrf3
EP37uNls8TJaLigwCwJBH/8=
=x5gK
-----END PGP SIGNATURE-----






More information about the Snort-sigs mailing list