[Snort-sigs] Windows RPC Interface access detect signature set (win-rpc.rules)
Kreimendahl, Chad J
Chad.Kreimendahl at ...361...
Wed Jun 2 08:24:03 EDT 2004
FWIW... I believe the SID range for user-built sids to stay outside of
snort's reserved range starts at 1,000,000.
The sid keyword is used to uniquely identify Snort rules. This
information allows output plugins to identify rules easily. This option
should be used with the rev keyword. (See section 2.4.4)
<100 Reserved for future use
100-1,000,000 Rules included with the Snort distribution
>1,000,000 Used for local rules
The file sid-msg.map contains a mapping of alert messages to Snort rule
IDs. This information is useful when post-processing alert to map an ID
to an alert message.
From: Matthew Jonkman [mailto:matt at ...2436...]
Sent: Wednesday, June 02, 2004 12:40 AM
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Windows RPC Interface access detect signature
With Kawa's permission I've added this set to the bleeding rules. But
not in the compiled bleeding.rules file.
Added a separate dir called Stable-Side. These sigs are very
interesting, but they can't be part of a regular ruleset without careful
consideration. They'll hit you with loads of events on your internal
net. So use them where it's appropriate (external nets, etc).
I've added sid's and rev's. Available at http://snort.infotex.com in the
Thanks Kawa, these will be very valuable in tightening down a net.
> Hi, all.
> I made "Windows RPC Interface access detect signature set" with Urity.
> http://kawa.smokerz.net/d/file/win-rpc.rules (v 1.0 2004/06/02)
> http://kawa.smokerz.net/d/?200405c&to=200405293#200405293 (Japanese)
> - It can detect Windows RPC Inferface access.
> - It can detect 43 RPC Interfaces.
> - It has 258 (43x6) signatures.
> - It can't detect particular attacks.
> - If unknown worms are released , it may detect.
> - Some signatures may overlap with snort signatures.
> If anyone knows other major RPC Interface ID, plz tell me.
This SF.Net email is sponsored by the new InstallShield X.
More information about the Snort-sigs