[Snort-users] MSDTC Vulnerability Rule?

Brian bmc at ...950...
Thu Feb 7 04:35:02 EST 2002


According to John:
> Hello Eric,
> 
>   With the limited details of this bug I came up with a simple rule. It will
> (as usual) require some work from the IDS analysis.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"Possible MSDTC DoS";
> flags: A+; dsize: >1024; reference:bugtraq,4006; classtype:attempted-dos;)

God sig, except according to SecurityFocus's bugtraq database the dos
can be accomplishedby using 1024 bytes or more of random data.  When I
get a chance to commit it to CVS, the sig will be like below.  

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"EXPERIMENTAL MSDTC DoS"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:1;)

-brian





More information about the Snort-users mailing list