[Snort-sigs] untested sig for THCIISSLame.c (MS04-011 exploit)

Matthew Watchinski mwatchinski at ...435...
Tue Apr 27 07:40:27 EDT 2004

You might want to check out sid 2515 for a more generic rule.

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC 
PCT Long Client_Hello message exploit attempt"; flow:to_server,established; 
content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; 
byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; 
classtype:attempted-admin; sid:2515; rev:1;)

Also remember that ports 465, 995, 993, 639 are also effected as MS links 
against a generic crypto library.  Sids for those ports also exist in cvs.


Paul Tinsley wrote:
> Whoops, I meant to hit reply to all so others could use it :/  Here goes.
> I still haven't had a chance to fix the sig to be more generic but it
> seems to be working as you say...
> On Tue, 27 Apr 2004 14:23:07 +1200, James Riden <j.riden at ...1766...> wrote:
>>pdt at ...1716... writes:
>>>Yours doesn't seem to work and the reason being, you are basing it off of
>>>the shellcode which he is XORing before it goes into the string.  This one
>>>is quick and dirty but will work with the exploit code.  I am going to
>>>play with it further so that it has a chance of working with modififed
>>>versions, right now i key off of the greetz message and the xor'd offset,
>>>not good long term.
>>>alert tcp any any -> $HOME_NET 443 (msg:"MS04-011 SSL exploit (THCIISSLame
>>>by Johnny Cyberpunk)"; sid:900034;content:"|54 48 43 4F 57 4E 5A 49 49 53
>>>21 32 5E BE 98|";within:36;)
>>Works for me - I've seen it coming from a few addresses - to a server
>>I patched a few days ago, HAH!
>>Do you want to post it to the list? I know there's some people who
>>would appreciate it - and it's a lot better than nothing as it is.
>> Jamie
>>James Riden / j.riden at ...1766... / Systems Security Engineer
>>Information Technology Services, Massey University, NZ.
>>GPG public key available at: http://www.massey.ac.nz/~jriden/
> -------------------------------------------------------
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> http://www.thinkgeek.com/freeshipping/?cpg=12297
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list