[Snort-sigs] Windows RPC Interface access detect signature set (win-rpc.rules)

Matthew Jonkman matt at ...2436...
Tue Jun 1 22:41:06 EDT 2004

With Kawa's permission I've added this set to the bleeding rules. But 
not in the compiled bleeding.rules file.

Added a separate dir called Stable-Side. These sigs are very 
interesting, but they can't be part of a regular ruleset without careful 
consideration. They'll hit you with loads of events on your internal 
net. So use them where it's appropriate (external nets, etc).

I've added sid's and rev's. Available at http://snort.infotex.com in the 

Thanks Kawa, these will be very valuable in tightening down a net.


kawa wrote:

> Hi, all.
> I made "Windows RPC Interface access detect signature set" with Urity.
> http://kawa.smokerz.net/d/file/win-rpc.rules  (v 1.0 2004/06/02)
> http://kawa.smokerz.net/d/?200405c&to=200405293#200405293 (Japanese)
> - It can detect Windows RPC Inferface access.
> - It can detect 43 RPC Interfaces.
> - It has 258 (43x6) signatures.
> - It can't detect particular attacks.
> - If unknown worms are released , it may detect.
> - Some signatures may overlap with snort signatures.
> If anyone knows other major RPC Interface ID, plz tell me.
> Thanks.

More information about the Snort-sigs mailing list