[Snort-sigs] NETBIOS DCERPC ISystemActivator bind attempt

Robert Reid rreid at ...414...
Thu Sep 25 18:00:05 EDT 2003


I have gotten very few false positives with this signature. Backup exec
seems to make it fire sometimes but other than that its been very well
behaved.

-----Original Message-----
From: Ian Boje [mailto:kc0itq at ...1904...] 
Sent: Thursday, September 25, 2003 4:12 PM
To: d'Ambly, Jeff
Cc: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] NETBIOS DCERPC ISystemActivator bind attempt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You might try looknig for the Welcia worm also (assuming you only checked
for the MSBlaster worm using the tool provided on the website).

You can look for the a process running called "DLLHOST.EXE" or "MSBLAST.EXE"
in your task manager.  If they exist, there might be a chance you have it.

On Thu, 25 Sep 2003, d'Ambly, Jeff wrote:

> Has anyone found a false positive for the NETBIOS DCERPC 
> ISystemActivator bind attempt rule? I have a machine that is 
> constantly matching this rule, but I ran the Symantec tools to look 
> for the MS blast worm and it found nothing.
>  
> Here is what my rule looks like
>  
> alert tcp any any -> any 135 (msg:"NETBIOS DCERPC ISystemActivator 
> bind attempt"; flow:to_server,established; content:"|05|"; distance:0; 
> within:1; content:"|0b|"; distance:1; within:1; 
> byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 
> 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; 
> classtype:attempted-admin; sid:2192;
> rev:1;)
>  
> and here is the packet that was captured, could this be normal traffic?
>  
> 05 00 0B 03 10 00 00 00 7C 00 2C 00 02 00 00 00   ........|.,.....
> D0 16 D0 16 59 08 01 00 01 00 00 00 01 00 01 00   ....Y...........
> A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46   ...............F
> 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00   .....]..........
> 2B 10 48 60 02 00 00 00 0A 02 00 00 D0 5B 0B 00   +.H`.........[..
> 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 00 A0   NTLMSSP.........
> 03 00 03 00 29 00 00 00 09 00 09 00 20 00 00 00   ....)....... ...
> 46 49 53 48 42 4F 57 4C 31 44 45 56               FISHBOWL1DEV 
> 

- --
Ian Boje
KC0ITQ
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE/c0v7eYi9Pai6l90RAmEqAJ4ytsWla+f1W2teHtC2+8bdqqmPNQCfTrf3
EP37uNls8TJaLigwCwJBH/8=
=x5gK
-----END PGP SIGNATURE-----




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list