RE: Microsoft DCOM RPC Worm Alert

["John Creegan" <jcreegan () questarweb com>]

The alert below will work after "withing" is replaced with "within"...
:-)

> Alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DCE RPC Interface
Buffer
> Overflow Exploit"; content:"|00 5c 00 5c|"; content:!"|5C|";
withing:32;
> flow:to_server,established; reference:bugtraq,8205; rev: 1;)
>
> This will detect the worm.
>
> -----Original Message-----
> From: Simon Gray [mailto:simong () desktop-guardian com] 
> Sent: Tuesday, August 12, 2003 11:25 AM
> To: Slighter, Tim; 'IntegPatchMgr'; snort-users () lists sourceforge net

> Subject: Re: [Snort-users] Microsoft DCOM RPC Worm Alert
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
> ISystemActivator bind attempt"; flow:to_server,established;
content:"|05|";
> distance:0; within:1; content:"|0b|"; distance:1; within:1;
> byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00
00 00
> 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352;
> classtype:attempted-admin; sid:2192; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
> ISystemActivator bind attempt"; flow:to_server,established;
> content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26
> 00|";distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c
00|";
> nocase; distance:5; within:12; content:"|05|"; distance:0; within:1;
> content:"|0b|"; distance:1; within:1;
> byte_test:1,&,1,0,relative;content:"|A0 01 00 00 00 00 00 00 C0 00 00
00 00
> 00 00 46|"; distance:29; within:16;
> reference:cve,CAN-2003-0352;classtype:attempted-admin; sid:2193;
rev:1;)
> https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf

> ----- Original Message ----- 
> From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
> To: "'IntegPatchMgr'" <IntegPatchMgr () infosys com>;
> <snort-users () lists sourceforge net>
> Sent: Tuesday, August 12, 2003 3:35 PM
> Subject: RE: [Snort-users] Microsoft DCOM RPC Worm Alert
>
>
> > any other recommendations?  this url does not work
> >
> > thanks
> >
> > -----Original Message-----
> > From: IntegPatchMgr [mailto:IntegPatchMgr () infosys com] 
> > Sent: Tuesday, August 12, 2003 5:18 AM
> > To: snort-users () lists sourceforge net 
> > Subject: [Snort-users] Microsoft DCOM RPC Worm Alert
> >
> >
> > Hi,
> >
> > You can find snort sign for Microsoft DCOM RPC Worm at
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.
> > pd
> > f
> >
> > Regards
> > Shivabasu



This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users