Snort mailing list archives
RE: Snort-users digest, Vol 1 #3453 - 11 msgs
From: חואן <juan () sarel co il>
Date: Sun, 17 Aug 2003 16:49:27 +0200
Does someone knows where can I find a manual to install and configure activeworx ? Juan B. Mcse Ccna Ccsa Csca System Administrator Sarel Ltd. Tel:+972-64-577390 Fax:+972-9-8921900 -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, August 14, 2003 3:06 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3453 - 11 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: acid woes (JP Vossen) 2. Re: DCOM Snort Sigs (JP Vossen) 3. Re: logging traffic (Joerg Mertin) 4. RE: Snort rules updated? (Christopher Lyon) 5. Snort + acid + snortcenter (pro0digy) 6. Re: snort under high density traffic (Mehmet Ersan TOPALOGLU) 7. Re: SPAN port packet related (Ahmad Masood Shah) 8. Commercial sniffer (samwun) 9. Re: snort under high density traffic (Edin Dizdarevic) 10. Compiling BarnyRD (Robert Perez) 11. Re: DCOM Snort Sigs (Bennett Todd) --__--__-- Message: 1 Date: Thu, 14 Aug 2003 01:31:17 -0400 (EDT) From: JP Vossen <vossenjp () netaxs com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] acid woes
From: Bryan Irvine <bryan.irvine () kingcountyjournal com> To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Organization: Date: 13 Aug 2003 18:17:18 -0700 Subject: [Snort-users] acid woes I just upgraded postgresql to version 7.3 and now when I try to create the tables with the acid setup page I get an errot that "datetime does not exist". Any ideas here?
Yeah, search the archives [0] for the answer to this question. Specifically [1]. [0] http://marc.theaimsgroup.com/?l=snort-users http://sourceforge.net/mailarchive/forum.php?forum_id=3972 [1] http://marc.theaimsgroup.com/?l=snort-users&m=105055117128564&w=2 Later, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows XP or better, so I installed Linux..." --__--__-- Message: 2 Date: Thu, 14 Aug 2003 01:37:04 -0400 (EDT) From: JP Vossen <vossenjp () netaxs com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] DCOM Snort Sigs
From: Dragos Ruiu <dr () kyx net> Organization: All Terrain Ninjas To: snort-users () lists sourceforge net Date: Wed, 13 Aug 2003 14:38:08 -0700 Subject: [Snort-users] DCOM Snort Sigs Counterpane has some useful snort sigs at: http://www.counterpane.com/alert-v20030801-001.html cheers, --dr
True, but they are all just reposts from the Snort-Sigs list. They are all nicely in one place though... Later, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows XP or better, so I installed Linux..." --__--__-- Message: 3 From: Joerg Mertin <smurphy () solsys org> To: Erek Adams <erek () snort org>, Faiz Ahmad Shuja <faizshuja () yahoo it> Subject: Re: [Snort-users] logging traffic Date: Thu, 14 Aug 2003 09:01:38 +0200 Cc: zidan () popmail com, snort-users () lists sourceforge net Hmmm, on a Linux system - you can always create a definition for logrotate. It might be tricki though if using dynamically created files. But if using = a=20 Database backend, and only the Alert file in /var/log/snort/alert to be=20 rotated, the rule for logrotate would look like this on a Mandrake-9.1=20 system: # cat /etc/logrotate.d/snortd=20 /var/log/snort/alert { sharedscripts rotate 5 weekly postrotate /usr/bin/killall -HUP snortd # endscript } I Don't know if restarting the entire application is better or not - howeve= r -=20 I think it should work :) Just testing it now. Cheers Joerg On Thursday 14 August 2003 02:16, Erek Adams wrote:
On Thu, 14 Aug 2003, Faiz Ahmad Shuja wrote:Yes, I think you can. Anyone please correct if I am wrong. You can limit file size by using unified output plugin.Close, but not quite. He wanted files to be rotated every time they reached a certain size. Unified doesn't do that. The limit is the max size of the file. Once the size is reached, the file pointer wraps around and starts filling up again from the 'front' of the file. I think I've heard things like that referred to as a 'circular file'. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
--=20 It is said that the lonely eagle flies to the mountain peaks while the lowly ant crawls the ground, but cannot the soul of the ant soar as high as the= =20 eagle? ------------------------------------------------------------------------ | Joerg Mertin : smurphy () solsys org (Home)| | in Neuch=E2tel/Schweiz : smurphy () linux de (Alt1)| | Stardust's LiNUX System : smurphy () net2000 ch (Alt2)| | Web: http://www.solsys.org: Voice & Fax: +41(0)32 / 725 52 54 | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A --__--__-- Message: 4 Subject: RE: [Snort-users] Snort rules updated? Date: Thu, 14 Aug 2003 00:32:36 -0700 From: "Christopher Lyon" <cslyon () netsvcs com> To: <CMartin () infosol com>, <erek () snort org> Cc: <snort-users () lists sourceforge net> It doesn't look like the DCOM rules are in the ../dl/snortrules-current.tar.gz or in the CVS tree. I am sure they will get them in there but for now use what they have listed: =20 http://www.snort.org/snort-db/sid.html?sid=3D2192 http://www.snort.org/snort-db/sid.html?sid=3D2193 BTW, if you haven't pulled Oinkmaster down yet, that is a must, very good tool for updating your sigs and to see what changes. Good luck,
-----Original Message----- From: CMartin () infosol com [mailto:CMartin () infosol com] Sent: Wednesday, August 13, 2003 2:18 PM To: erek () snort org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules updated? =20 Thanks Erek, I'll join the mailing list to keep myself up to date on
the
sigs, and I like your idea for my own signatures. But since I missed
the
email says whether the sigs are up to date with DCOM detection
ability. I
was wondering if you can tell me if the rules are up to date? =20 -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Wednesday, August 13, 2003 1:40 PM To: CMartin () infosol com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rules updated? =20 On Wed, 13 Aug 2003 CMartin () infosol com wrote: =20Just wanted to get the word when the official rule sets get
updated
with the rules to detect DCOM exploit as well as the worm associatedwiththe exploit (mblaster.exe). I like the idea of adding the rule
myself;
however, I wouldn't mind bringing my systems up to date by
downloading
therule sets with the new rules implemented. I'm hoping the rule sets
that
areon the site now are updated :)=20 Join the snort-sigs mailing list. It's been posted numerous times
over
the last few days. =20 And as for adding rules yourself: Create a "my.rules" and place your rules in there. Then whenever you auto update rules, that won't get overwritten. Be sure and add it to the include lines at the bottom of snort.conf. =20 Cheers! =20 ----- Erek Adams =20 "When things get weird, the weird turn pro." H.S. Thompson =20 =20 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
--__--__-- Message: 5 Date: Thu, 14 Aug 2003 00:57:27 -0700 (PDT) From: pro0digy <losty21 () yahoo com> To: Snort <snort-users () lists sourceforge net> Subject: [Snort-users] Snort + acid + snortcenter Hi All, I have a solution running with snort 2.01, acid and snortcenter. I am trying to use snortcenter acid plugin, is there a way that you can have multiple instance of acid into snortcenter console. My problem is because of sheer volume of data I have to run three seperate instances of acid console, with three different databases. Irfan __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --__--__-- Message: 6 Date: Thu, 14 Aug 2003 12:07:09 EEST From: Mehmet Ersan TOPALOGLU <mersan () ceng metu edu tr> Reply-To: "Mehmet Ersan TOPALOGLU" <mersan () ceng metu edu tr> Subject: Re: [Snort-users] snort under high density traffic To: snort-users () lists sourceforge net Thanks for the comment but actually the things is not that iwon't to improve my performance using Snort. As i said in my first mail about this i am working on my MSc Thesis. I am using Snort the make my tests and i need the statistics, __correct__ ones. Here is two situation: 1. The one with default 2.420 kernel. Three PCs replay scnerios at 30Mbit/s each, total traffic is 90Mbit/s. At the end. Snort reports to analyse around 200.000 packets out of 300.000 packets and dropping the rest. but /proc/net/dev says around 3.800.000 packets arrived and my scenrios are about 1.600.000 packets each, totally 4.800.000 packets. 2. I made some modifications to kernel. replay scenerios and rates are the same. Snort produces result saying "Snort analysed 3.800.000 packets out of 7.400.000 packets dropping the rest. /proc/net/dev says 3.800.000 packets arrived to. I guess snort is able to analyse all packets arrived but i don't know where the dropped packets come from. I am sure that no additional packets (other than arp queries of switch that is at most 2-3 thousand for each session _negligable_) arrive to the network. The result are not only one time results. At least 20-25 times i tried and the results are around the same values. In first tries i was using snort v1.9 and libpcap v0.7 but after the advise of Erek Adams i upgrade to snort 2.0.1 and patched verison of libpcap 0.8. I hope i could explain the situation. Thanks in advance
Hi, Statistics are _really_ not working well in Snort 1.9.x. Don't beleive
them.
The kernel statistics are working well. You can trust them. Maybe some former postings may help: Is Snort loosing packets? What is the statistics saying? In Snort 2.0 the statistics seem to work good finally. Have you tried using perfmonitor? How many packets is Snort "seeing"? Take off all the machines and connect the tcpreplay-machine with the sensor with a crossover cable. Don't worry, it will work. Try using more memory on your sensor. Optimize your HD - Accoustic management off, UDMA5 transfer mode, 32Bit I/O-access, see hdparm --help. Try using 64Bit machines. Try other NICs (3Com). Turn only unified logging on. Are you using some IDS evasion techniques like insertion, fragmented packets, fake resets or similar? Run as few processes on your sensor as possible. - Use powerful machines, memory is more important than CPU speed, 64Bit if possible/needed - Reduce your ruleset as far as you can, use multiple sensors for different ports if you can, deactivate unnecessary rules going through every siingle file one by one one, use ~100 rules on machines with 2GHz/512MBs RAM (approx value, my personal expirience, may vary) - Use one sensor for HTTP/CGI only - Log in unified format, use barnyard - Deactivate unnecessary plugins (rpc, bo, portscan(1), asn, frag if sitting behind a Linux packet filter...) - Marty said Snort 2 is approx 18x faster than Snort 1.9, try that - Use Intel or 3Com NICs - Seee this:
http://www.cs.ucsb.edu/~rsg/pub/2002_kruegel_valeur_vigna_kemmerer_secpriv02 .ps.gz
http://marc.theaimsgroup.com/?l=linux-net&m=92459447909270&w=2 - Experiment a lot Have fun... Regards, Edin -- Edin Dizdarevic
[..] - mersan mersan () ceng metu edu tr mersan () cclub metu edu tr --__--__-- Message: 7 From: "Ahmad Masood Shah" <jahil () 66-uetclub com> To: "Faiz Ahmad Shuja" <faizshuja () yahoo it>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] SPAN port packet related Date: Thu, 14 Aug 2003 15:24:14 +0500 ohh then what is the problem here with my setup. I have attached my border router to switch 0/11. My border router traffic 500 Kbps in and 600 Kbps out round about. I'm using Catalyst 3500 to mirror traffic for port 0/11 to SPAN 0/10. but it's very strange for me IDS system traffic is not exceeding more than 40 Kbps or 70 Kbps. so If my border outer traffic is more than 500 K then my IDS system traffic must be 500 K or more than that. logging is workign properly on IDS for border router. I mean to say I can see traffic is coming @ my IDS system via 0/11 port. what could be wrong? -- Best Regs, Masood Ahmad Shah System Administrator ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ | * * * * * * * * * * * * * * * * * * * * * * * * | Fibre Net (Pvt) Ltd. Lahore, Pakistan | Tel: +92-42-6677024 | Mobile: +92-300-4277367 | http://www.fibre.net.pk | * * * * * * * * * * * * * * * * * * * * * * * * ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) ----- Original Message ----- From: "Faiz Ahmad Shuja" <faizshuja () yahoo it> To: "'Ahmad Masood Shah'" <jahil () 66-uetclub com>; <snort-users () lists sourceforge net> Sent: Thursday, August 14, 2003 2:53 AM Subject: RE: [Snort-users] SPAN port packet related | A copy of all the traffic on port 0/11 and 0/12 will be sent on port | 0/10 by switch. It will send "everything" coming on these ports. | | Regards, | Faiz | | | -----Original Message----- | From: snort-users-admin () lists sourceforge net | [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ahmad | Masood Shah | Sent: Wednesday, August 13, 2003 12:48 PM | To: snort-users () lists sourceforge net | Subject: [Snort-users] SPAN port packet related | | | 0/12. SPAN port | is 0/10. my 0/11 port data is upto 1 Mbps. My question is that when | switch will send packet information to my IDS via SPAN port it will | redirect all traffic or it will send simple packet header to IDS sensor. | | -- | | Best Regs, | Masood Ahmad Shah | | | | ------------------------------------------------------- | This SF.Net email sponsored by: Free pre-built ASP.NET sites including | Data Reports, E-commerce, Portals, and Forums are available now. | Download today and enter to win an XBOX or Visual Studio .NET. | http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 | /01 | _______________________________________________ | Snort-users mailing list | Snort-users () lists sourceforge net | Go to this URL to change user options or unsubscribe: | https://lists.sourceforge.net/lists/listinfo/snort-users | Snort-users list archive: | http://www.geocrawler.com/redir-sf.php3?list=snort-users archive: | http://www.geocrawler.com/redir-sf.php3?list=snort-users | --__--__-- Message: 8 From: "samwun" <samwun () hgcbroadband com> To: <snort-users () lists sourceforge net> Date: Thu, 14 Aug 2003 19:17:31 +0800 Subject: [Snort-users] Commercial sniffer Dear all, Can anyone suggest a commercial sniffer? Thanks Sam --__--__-- Message: 9 Date: Thu, 14 Aug 2003 13:50:24 +0200 From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de> Reply-To: edin.dizdarevic () interActive-Systems de Organization: interActive Systems To: Mehmet Ersan TOPALOGLU <mersan () ceng metu edu tr> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort under high density traffic Mehmet Ersan TOPALOGLU wrote: [...]
the results are around the same values. In first tries i was using snort
v1.9
and libpcap v0.7 but after the advise of Erek Adams i upgrade to snort
2.0.1
and patched verison of libpcap 0.8.
And how is it working now? You mean even _after_ upgrading to Snort 2 you still have the same, wrong statistics? My experience is that the statistics in Snort 2 are quite reliable, in Snort 1.9 not. I may do some checks. As far as I can recall my Snort 1.9 tests, the statistics were fine only if Snort did not loose any packets. Are you able to share your tcpdump files you are using with tcpreplay so I can test it with my 64bit machines?
I hope i could explain the situation. Thanks in advance
Regards, Edin -- Edin Dizdarevic --__--__-- Message: 10 From: Robert Perez <Robert.Perez () intercept net> To: "Snort-Users (snort-users () lists sourceforge net)" <snort-users () lists sourceforge net> Date: Wed, 13 Aug 2003 12:44:42 -0400 Subject: [Snort-users] Compiling BarnyRD Hi all, I am trying to compile barnyard and everytime I get the error "unable to find mysql client libraries" . I have installed the client and server version of Mysql and have even pointed the ./configure...--with-mysql-libraries to the appropriate directory but it still fails.. ?? Please help --__--__-- Message: 11 Date: Thu, 14 Aug 2003 07:55:06 -0400 From: Bennett Todd <bet () rahul net> To: JP Vossen <vossenjp () netaxs com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] DCOM Snort Sigs --jho1yZJdad60DJr+ Content-Type: multipart/mixed; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable 2003-08-14T01:37:04 JP Vossen:
2003-08-13T14:38:08-0700 Dragos Ruiu:Counterpane has some useful snort sigs at: http://www.counterpane.com/alert-v20030801-001.html=20 True, but they are all just reposts from the Snort-Sigs list. They are all nicely in one place though...
I must have missed most of 'em. I've been trying to collect every distinct sig I've seen posted, and the only ones on that counterpane page that I'd had in my collection were the two "official" snort db ones, sids 2192 and 2193. I attach my collection as it stands at this point. NB I had to tear the "references:" out of a couple of 'em, they were gagging my snort and I couldn't figure out why. -Bennett --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="local.rules" alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352;classtype:attempted-admin; sid:2193; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DCE RPC Interface Buffer Overflow Exploit"; content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; flow:to_server,established; reference:bugtraq,8205; rev: 1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"DCE RPC Interface Buffer Overflow Exploit"; content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; flow:to_server,established; reference:bugtraq,8205; rev: 1; ) alert udp $EXTERNAL_NET any -> $HOME_NET 69 (sid: 1000024; rev: 3; msg: "W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; classtype: trojan-activity; priority: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (sid: 1000025; rev: 4; msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; classtype: trojan-activity; priority: 1;) alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC System Shell Exploit Response"; flow:from_server,established; content:"|3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;) alert tcp any 3333 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC System Shell Exploit Response"; flow:from_server,established; content:"|3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;) alert tcp any any -> any 135:139 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to 135-139"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00|"; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101000; rev:1;) alert tcp any any -> any 445 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to 445"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00|"; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101001; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100001; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100001; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100002; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100002; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100003; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100003; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100004; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100004; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100005; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100005; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100006; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100006; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|"; classtype:attempted-admin; sid:1100007; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100007; rev:1;) --OgqxwSJOaUobr8KG-- --jho1yZJdad60DJr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/O3iaHZWg9mCTffwRAg29AKC80pcnLMyH9uvcZoIeqiG9yPktIwCgjnVP BJ/CcgIWiatCnvWZupsOFcE= =WJVz -----END PGP SIGNATURE----- --jho1yZJdad60DJr+-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #3453 - 11 msgs חואן (Aug 17)