[Snort-users] MSDTC Vulnerability Rule?
bmc at ...950...
Thu Feb 7 04:35:02 EST 2002
According to John:
> Hello Eric,
> With the limited details of this bug I came up with a simple rule. It will
> (as usual) require some work from the IDS analysis.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"Possible MSDTC DoS";
> flags: A+; dsize: >1024; reference:bugtraq,4006; classtype:attempted-dos;)
God sig, except according to SecurityFocus's bugtraq database the dos
can be accomplishedby using 1024 bytes or more of random data. When I
get a chance to commit it to CVS, the sig will be like below.
alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"EXPERIMENTAL MSDTC DoS"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:1;)
More information about the Snort-users