[Snort-sigs] Windows RPC Interface access detect signature set (win-rpc.rules)
matt at ...2436...
Tue Jun 1 22:41:06 EDT 2004
With Kawa's permission I've added this set to the bleeding rules. But
not in the compiled bleeding.rules file.
Added a separate dir called Stable-Side. These sigs are very
interesting, but they can't be part of a regular ruleset without careful
consideration. They'll hit you with loads of events on your internal
net. So use them where it's appropriate (external nets, etc).
I've added sid's and rev's. Available at http://snort.infotex.com in the
Thanks Kawa, these will be very valuable in tightening down a net.
> Hi, all.
> I made "Windows RPC Interface access detect signature set" with Urity.
> http://kawa.smokerz.net/d/file/win-rpc.rules (v 1.0 2004/06/02)
> http://kawa.smokerz.net/d/?200405c&to=200405293#200405293 (Japanese)
> - It can detect Windows RPC Inferface access.
> - It can detect 43 RPC Interfaces.
> - It has 258 (43x6) signatures.
> - It can't detect particular attacks.
> - If unknown worms are released , it may detect.
> - Some signatures may overlap with snort signatures.
> If anyone knows other major RPC Interface ID, plz tell me.
More information about the Snort-sigs