[Snort-users] Snort rule about MS08-067

Kevin Ross kevross33 at ...14012...
Fri Feb 24 10:28:16 EST 2012


If you are looking for rules for Conficker there are ones in
emergingthreats.net too and also shared object rules for VRT.

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2;
depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|";
reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008690;
classtype:attempted-admin; sid:2008690; rev:5;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|";
content:"..|5C|..|5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008691;
classtype:attempted-admin; sid:2008691; rev:6;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|";
content:"../../"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008692;
classtype:attempted-admin; sid:2008692; rev:5;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00
2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008693;
classtype:attempted-admin; sid:2008693; rev:5;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00
2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008694;
classtype:attempted-admin; sid:2008694; rev:5;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|";
content:"..|5C|..|5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008696;
classtype:attempted-admin; sid:2008696; rev:6;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|";
content:"../../"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008697;
classtype:attempted-admin; sid:2008697; rev:5;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00
2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008698;
classtype:attempted-admin; sid:2008698; rev:5;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|";
content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00
2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008699;
classtype:attempted-admin; sid:2008699; rev:5;)
alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance";
content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 87|"; fast_pattern:only; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008700;
classtype:attempted-admin; sid:2008700; rev:6;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server;
content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78
5A 47 BF 6E E1 88|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008701;
classtype:attempted-admin; sid:2008701; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|5C|..|5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008702;
classtype:attempted-admin; sid:2008702; rev:6;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"/../"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008703;
classtype:attempted-admin; sid:2008703; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008704;
classtype:attempted-admin; sid:2008704; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008705;
classtype:attempted-admin; sid:2008705; rev:5;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server;
content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78
5A 47 BF 6E E1 88|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008706;
classtype:attempted-admin; sid:2008706; rev:5;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"..|5C|..|5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008707;
classtype:attempted-admin; sid:2008707; rev:6;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"../../"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008708;
classtype:attempted-admin; sid:2008708; rev:5;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008709;
classtype:attempted-admin; sid:2008709; rev:5;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server;
content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008710;
classtype:attempted-admin; sid:2008710; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|5C|..|5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008712;
classtype:attempted-admin; sid:2008712; rev:6;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"/../"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008713;
classtype:attempted-admin; sid:2008713; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008714;
classtype:attempted-admin; sid:2008714; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008715;
classtype:attempted-admin; sid:2008715; rev:5;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"..|5C|..|5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008717;
classtype:attempted-admin; sid:2008717; rev:6;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"../../"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008718;
classtype:attempted-admin; sid:2008718; rev:5;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008719;
classtype:attempted-admin; sid:2008719; rev:5;)
alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server;
content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1
88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008720;
classtype:attempted-admin; sid:2008720; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows
NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)";
flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f
00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|";
fast_pattern:only; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx;
reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267;
reference:url,doc.emergingthreats.net/bin/view/Main/2008721;
classtype:attempted-admin; sid:2008721; rev:6;)

On 23 February 2012 22:14, ndritsos <ndritsos at ...11827...> wrote:

> Hello ,
>
> iam searching to find the snort rules about : MS08-067 ,
> but unfortunately i can not find that .
>
>  any link where i can find?
>
> thank you in advance
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120224/d62495a0/attachment.html>


More information about the Snort-users mailing list