[Snort-sigs] Windows RPC Interface access detect signature set (win-rpc.rules)

Matthew Jonkman matt at ...2436...
Wed Jun 2 12:42:04 EDT 2004


You are right there, typo in the header. Fixed.

Matt

Kreimendahl, Chad J wrote:

> Ahh, didn't look at the actual rules that were made... Only the comments
> at the top of bleeding.rules (mistype maybe?) 
> 
> -----Original Message-----
> From: Matthew Jonkman [mailto:matt at ...2436...] 
> Sent: Wednesday, June 02, 2004 2:31 PM
> To: Kreimendahl, Chad J
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Windows RPC Interface access detect signature
> set (win-rpc.rules)
> 
> Definitely agree. That's why we've put the bleeding rules in the 
> 2,000,000 range and up.
> 
> Let me know if we missed any.
> 
> Matt
> 
> Kreimendahl, Chad J wrote:
> 
> 
>>FWIW... I believe the SID range for user-built sids to stay outside of
>>snort's reserved range starts at 1,000,000.
>>
>>
>><snortdocs>
>>2.4.3 sid 
>>The sid keyword is used to uniquely identify Snort rules. This
>>information allows output plugins to identify rules easily. This
> 
> option
> 
>>should be used with the rev keyword. (See section 2.4.4) 
>>
>>
>><100 Reserved for future use 
>>100-1,000,000 Rules included with the Snort distribution 
>>
>>
>>>1,000,000 Used for local rules 
>>
>>
>>The file sid-msg.map contains a mapping of alert messages to Snort
> 
> rule
> 
>>IDs. This information is useful when post-processing alert to map an
> 
> ID
> 
>>to an alert message. 
>>
>></snortdocs> 
>>
>>
>>
>>
>>-----Original Message-----
>>From: Matthew Jonkman [mailto:matt at ...2436...] 
>>Sent: Wednesday, June 02, 2004 12:40 AM
>>To: kawa
>>Cc: snort-sigs at lists.sourceforge.net
>>Subject: Re: [Snort-sigs] Windows RPC Interface access detect
> 
> signature
> 
>>set (win-rpc.rules)
>>
>>With Kawa's permission I've added this set to the bleeding rules. But 
>>not in the compiled bleeding.rules file.
>>
>>Added a separate dir called Stable-Side. These sigs are very 
>>interesting, but they can't be part of a regular ruleset without
> 
> careful
> 
>>consideration. They'll hit you with loads of events on your internal 
>>net. So use them where it's appropriate (external nets, etc).
>>
>>I've added sid's and rev's. Available at http://snort.infotex.com in
> 
> the
> 
>>cvs-web.
>>
>>Thanks Kawa, these will be very valuable in tightening down a net.
>>
>>Matt
>>
>>
>>kawa wrote:
>>
>>
>>
>>>Hi, all.
>>>
>>>I made "Windows RPC Interface access detect signature set" with Urity.
>>>http://kawa.smokerz.net/d/file/win-rpc.rules  (v 1.0 2004/06/02)
>>>http://kawa.smokerz.net/d/?200405c&to=200405293#200405293 (Japanese)
>>>
>>>- It can detect Windows RPC Inferface access.
>>>- It can detect 43 RPC Interfaces.
>>>- It has 258 (43x6) signatures.
>>>- It can't detect particular attacks.
>>>- If unknown worms are released , it may detect.
>>>- Some signatures may overlap with snort signatures.
>>>
>>>If anyone knows other major RPC Interface ID, plz tell me.
>>>
>>>Thanks.
>>>
>>>
>>
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by the new InstallShield X.
>>From Windows to Linux, servers to mobile, InstallShield X is the one
>>installation-authoring solution that does it all. Learn more and
>>evaluate today! http://www.installshield.com/Dev2Dev/0504
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by the new InstallShield X.
>>From Windows to Linux, servers to mobile, InstallShield X is the one
>>installation-authoring solution that does it all. Learn more and
>>evaluate today! http://www.installshield.com/Dev2Dev/0504
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list