Full Disclosure mailing list archives

RE: DCOM RPC exploit IDS rule?

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 30 Jul 2003 16:32:55 -0500

Updated sigs for snort were released today.  If you're using oinkmaster,
you can retrieve them that way.

We're not seeing any, but the ports are closed and the IDSes are behind
the firewall, so I wouldn't expect to see any.  The various places I
monitor seem to indicate that activity on those ports has picked up, but
it all appears to be manual at this point.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

-----Original Message-----
From: Joshua Thomas [mailto:JThomas () poweronemedia com] 
Sent: Wednesday, July 30, 2003 3:48 PM
To: 'full-disclosure () lists netsys com'
Subject: [Full-disclosure] DCOM RPC exploit IDS rule?


Two questions: 
1) Are there IDS rules out for the DCOM RPC exploit yet? 
2) If so, how much activity in "the wild" has anyone seen on their IDS
of choice for this exploit?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

DCOM RPC exploit IDS rule? Joshua Thomas (Jul 30)
- Re: DCOM RPC exploit IDS rule? Jordan Wiens (Jul 31)
- <Possible follow-ups>
- RE: DCOM RPC exploit IDS rule? Schmehl, Paul L (Jul 30)
- RE: DCOM RPC exploit IDS rule? Dave Killion (Jul 30)