Snort mailing list archives
Re: Microsoft DCOM RPC Worm Alert
From: Sam Evans <sam () neuroflux com>
Date: Tue, 12 Aug 2003 11:44:49 -0400 (EDT)
You know.. The other thing you could do, to identify machines is just create a rule looking for TCP/135 leaving your HOME_NET. We have done this and it works quite well. Granted, you have to make sure you have all of your networks defined in the HOME_NET variable, otherwise you will be bombarded by legitimate RPC Traffic. But, honestly, there should be no RPC leaving a properly configured HOME_NET.. My .02 worth anyway. On Tue, 12 Aug 2003, Patrick Dolan wrote:
It works fine, you just have to include that trailing f on the .pdf extension that somehow didn't get included in the link. On Tuesday 12 August 2003 09:35 am, Slighter, Tim wrote:any other recommendations? this url does not work thanks -----Original Message----- From: IntegPatchMgr [mailto:IntegPatchMgr () infosys com] Sent: Tuesday, August 12, 2003 5:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Microsoft DCOM RPC Worm Alert Hi, You can find snort sign for Microsoft DCOM RPC Worm at https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd f Regards Shivabasu ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Patrick Dolan UNT Information Security PGP ID: E5571154 Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0 6F8D B13B 2456 E557 1154 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Microsoft DCOM RPC Worm Alert IntegPatchMgr (Aug 12)
- <Possible follow-ups>
- RE: Microsoft DCOM RPC Worm Alert Slighter, Tim (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Sam Evans (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Simon Gray (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Bruno Saverio Delbono (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Robert Reid (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Erek Adams (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert David (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Brian (Aug 28)
- RE: Microsoft DCOM RPC Worm Alert Esler, Joel Contractor (Aug 13)
- RE: Microsoft DCOM RPC Worm Alert John Creegan (Aug 13)