[Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276
nigel at ...435...
Thu Jun 30 19:28:46 EDT 2005
On 0, Russell Fulton <r.fulton at ...575...> allegedly wrote:
> Joel Esler wrote:
> >Are you sure this is a false positive? The Signature is lookin for the
> >little endian bind in RPC.. This looks to be that.
> Hi Joel,
> Thanks for checking this out. I freely admit I would not reconise
> a "little endian bind in RPC" if it danced naked in front of me
> singing "Waltzing Matilda" :) as one of my colleagues used to say
> -- usually in reference to managers.
> I do know that this is legit traffic, and since this rule does not have
> any documentation that I can find I'm at a loss to know what to make of
> it. I may as well disable the rule. AFAIK both machines are windows
First, a real packet capture sent to research at sourcefire.com or any one
of us on the VRT would certainly help tune the rule if it is a false
Now, not to beat everyone who "can't find documentation" over the head with
this, but it's getting old...
# cd /path/to/snort/source/snort/doc/signatures
# less 3276.txt
This rule generates an event when an attempt is made to exploit a known
vulnerability in Microsoft RPC DCOM.
Execution of arbitrary code leading to full administrator access of the
machine. Denial of Service (DoS).
A vulnerability exists in Microsoft RPC DCOM such that execution of
arbitrary code or a Denial of Service condition can be issued against a
host by sending malformed data via RPC.
The Distributed Component Object Model (DCOM) handles DCOM requests
sent by clients to a server using RPC. A malformed request to an RPC
port will result in a buffer overflow condition that will present the
attacker with the opportunity to execute arbitrary code with the
privileges of the local system account.
Windows NT 4.0
Windows NT 4.0 Terminal Server Edition
Windows Server 2003
If it's not on snort.org, tell us about that too, we can probably fix
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
I require a window seat and an inflight Happy Meal, and no pickles!
God help you if I find pickles!
More information about the Snort-sigs