Re: MSDTC Vulnerability Rule?

["John" <johns () tampabay rr com>]

Hello Eric,

  With the limited details of this bug I came up with a simple rule. It will
(as usual) require some work from the IDS analysis.

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"Possible MSDTC DoS";
flags: A+; dsize: >1024; reference:bugtraq,4006; classtype:attempted-dos;)

This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient,
please telephone, fax or e-mail to the sender without delay.  Return this
message or delete this message and any attachment from your system as per
our request. If you are not the intended recipient you must not copy this
message or attachments or disclose the contents to any other person.

----- Original Message -----
From: "Eric Johansen" <eric.johansen () reliastar com>
To: <snort-users () lists sourceforge net>
Sent: Monday, February 04, 2002 9:54 AM
Subject: [Snort-users] MSDTC Vulnerability Rule?


> Has anyone created a rule for the MSDTC vulnerability that was published a
> few days ago (http://www.securityfocus.com/bid/4006)?
>
> Also, since Whitehats.com's site seems to be unreliable recently where do
> you guys go for supplemental and bleeding edge rules updates?  Or do you
> mostly "brew your own"?
>
> Thanks!
>
> Eric
>
> ---
> Eric Johansen
> System Administrator
> PrimeVest
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users