[Snort-users] snmpXdmi rule

Brian Caswell bmc at ...312...
Thu Apr 19 02:15:40 EDT 2001


This rule was generated based on the packet dumps posted to 
incidents at ...717...  All phear marty's RPC decoding
skills.  This looks for the last frag flag and the snmpXdmi 
RPC procedure.  

Please send me packet traces for any traffic captured by this
so I can further limit the rule from false positives.


1.6 version
---
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flags:PA; content:"|8000 19a0|"; offset:4; depth:4; content:"|00018799|"; offset: 16; reference:bugtraq,2417; reference:cve,CAN-2001-0236;)


1.7 version
---
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flags:a+; content:"|8000 19a0|"; offset:4; depth:4; content:"|00018799|"; offset: 16; reference:bugtraq,2417; reference:cve,CAN-2001-0236;)

1.8 version
---
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flags:a+; content:"|8000 19a0|"; offset:4; depth:4; content:"|00018799|"; offset: 16; reference:bugtraq,2417; reference:cve,CAN-2001-0236; classtype:attempted-root;)

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list