Snort mailing list archives
RE: Microsoft DCOM RPC Worm Alert
From: "John Creegan" <jcreegan () questarweb com>
Date: Wed, 13 Aug 2003 08:46:39 -0500
The alert below will work after "withing" is replaced with "within"... :-)
Alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DCE RPC Interface
Buffer
Overflow Exploit"; content:"|00 5c 00 5c|"; content:!"|5C|";
withing:32;
flow:to_server,established; reference:bugtraq,8205; rev: 1;) This will detect the worm. -----Original Message----- From: Simon Gray [mailto:simong () desktop-guardian com] Sent: Tuesday, August 12, 2003 11:25 AM To: Slighter, Tim; 'IntegPatchMgr'; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Microsoft DCOM RPC Worm Alert alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established;
content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00
00 00
00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c
00|";
nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;content:"|A0 01 00 00 00 00 00 00 C0 00 00
00 00
00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352;classtype:attempted-admin; sid:2193;
rev:1;)
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
----- Original Message ----- From: "Slighter, Tim" <tslighter () itc nrcs usda gov> To: "'IntegPatchMgr'" <IntegPatchMgr () infosys com>; <snort-users () lists sourceforge net> Sent: Tuesday, August 12, 2003 3:35 PM Subject: RE: [Snort-users] Microsoft DCOM RPC Worm Alertany other recommendations? this url does not work thanks -----Original Message----- From: IntegPatchMgr [mailto:IntegPatchMgr () infosys com] Sent: Tuesday, August 12, 2003 5:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Microsoft DCOM RPC Worm Alert Hi, You can find snort sign for Microsoft DCOM RPC Worm at
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.
pd f Regards Shivabasu
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Microsoft DCOM RPC Worm Alert, (continued)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Sam Evans (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Simon Gray (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Bruno Saverio Delbono (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Robert Reid (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Erek Adams (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert David (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Brian (Aug 28)
- RE: Microsoft DCOM RPC Worm Alert Esler, Joel Contractor (Aug 13)
- RE: Microsoft DCOM RPC Worm Alert John Creegan (Aug 13)