[Snort-sigs] RE: sig for MS04-007 exploit?

William_Metcalf at ...1445... William_Metcalf at ...1445...
Tue Feb 24 06:54:16 EST 2004


This is quick and dirty, so use at your own risk.  Works well for me 
though

alert tcp any any -> any 445 (msg:"Microsoft ASN.1 exploit DOS"; 
flow:to_server,established; content:"|a0 0e 30 0c 06 0a 2b 06 01 04 01 82 
37 02 02 0a a1 05 23 03 03 01 07|"; offset:64; depth:144; 
classtype:attempted-dos; sid:20000; rev:2;) 

Regards,

Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040224/e30187f5/attachment.html>


More information about the Snort-sigs mailing list