[Snort-sigs] signature : Windows Lsasrv.dll Remote Universal Exploit XP/2K (MS04-011)

Aaron W. DeLashmutt awd at ...2442...
Mon May 3 04:55:00 EDT 2004


Signatures for latest lsass exploit:
http://www.k-otik.com/exploits/04292004.HOD-ms04011-lsasrv-expl.c.php

alert tcp any any -> any 445 (msg:"MS04011 Lsasrv.dll RPC exploit (WinXP)";
content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB
5B A6 E9 31 31|"; sid:200021; rev:1;)
alert tcp any any -> any 445 (msg:"MS04011 Lsasrv.dll RPC exploit (Win2k)";
content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 00
00 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; sid:200022; rev:1;)

---
Aaron W. DeLashmutt <awd at ...2442...> 





More information about the Snort-sigs mailing list