[Snort-users] MSDTC Vulnerability Rule?

John johns at ...1179...
Mon Feb 4 07:45:10 EST 2002

Hello Eric,

  With the limited details of this bug I came up with a simple rule. It will
(as usual) require some work from the IDS analysis.

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"Possible MSDTC DoS";
flags: A+; dsize: >1024; reference:bugtraq,4006; classtype:attempted-dos;)

This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient,
please telephone, fax or e-mail to the sender without delay.  Return this
message or delete this message and any attachment from your system as per
our request. If you are not the intended recipient you must not copy this
message or attachments or disclose the contents to any other person.

----- Original Message -----
From: "Eric Johansen" <eric.johansen at ...3001...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, February 04, 2002 9:54 AM
Subject: [Snort-users] MSDTC Vulnerability Rule?

> Has anyone created a rule for the MSDTC vulnerability that was published a
> few days ago (http://www.securityfocus.com/bid/4006)?
> Also, since Whitehats.com's site seems to be unreliable recently where do
> you guys go for supplemental and bleeding edge rules updates?  Or do you
> mostly "brew your own"?
> Thanks!
> Eric
> ---
> Eric Johansen
> System Administrator
> PrimeVest
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list