Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort-users digest, Vol 1 #3453 - 11 msgs

From: חואן <juan () sarel co il>
Date: Sun, 17 Aug 2003 16:49:27 +0200

Does someone  knows where can I find a manual to  install and configure
activeworx ?
 


Juan B.
Mcse Ccna Ccsa Csca
System Administrator
Sarel Ltd.
Tel:+972-64-577390
Fax:+972-9-8921900





-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net]
Sent: Thursday, August 14, 2003 3:06 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #3453 - 11 msgs


Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: acid woes (JP Vossen)
   2. Re: DCOM Snort Sigs (JP Vossen)
   3. Re: logging traffic (Joerg Mertin)
   4. RE: Snort rules updated? (Christopher Lyon)
   5. Snort + acid + snortcenter (pro0digy)
   6. Re: snort under high density traffic (Mehmet Ersan TOPALOGLU)
   7. Re: SPAN port packet related (Ahmad Masood Shah)
   8. Commercial sniffer (samwun)
   9. Re: snort under high density traffic (Edin Dizdarevic)
  10. Compiling BarnyRD (Robert Perez)
  11. Re: DCOM Snort Sigs (Bennett Todd)

--__--__--

Message: 1
Date: Thu, 14 Aug 2003 01:31:17 -0400 (EDT)
From: JP Vossen <vossenjp () netaxs com>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] acid woes


From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
To: "'snort-users () lists sourceforge net'"

<snort-users () lists sourceforge net>

Organization:
Date: 13 Aug 2003 18:17:18 -0700
Subject: [Snort-users] acid woes

I just upgraded postgresql to version 7.3 and now when I try to create
the tables with the acid setup page I get an errot that "datetime does
not exist".

Any ideas here?


Yeah, search the archives [0] for the answer to this question.  Specifically
[1].


[0] http://marc.theaimsgroup.com/?l=snort-users
http://sourceforge.net/mailarchive/forum.php?forum_id=3972

[1] http://marc.theaimsgroup.com/?l=snort-users&m=105055117128564&w=2

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."



--__--__--

Message: 2
Date: Thu, 14 Aug 2003 01:37:04 -0400 (EDT)
From: JP Vossen <vossenjp () netaxs com>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] DCOM Snort Sigs


From: Dragos Ruiu <dr () kyx net>
Organization: All Terrain Ninjas
To: snort-users () lists sourceforge net
Date: Wed, 13 Aug 2003 14:38:08 -0700
Subject: [Snort-users] DCOM Snort Sigs

Counterpane has some useful snort sigs at:

http://www.counterpane.com/alert-v20030801-001.html

cheers,
--dr


True, but they are all just reposts from the Snort-Sigs list.  They are all
nicely in one place though...

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."



--__--__--

Message: 3
From: Joerg Mertin <smurphy () solsys org>
To: Erek Adams <erek () snort org>,
        Faiz Ahmad Shuja <faizshuja () yahoo it>
Subject: Re: [Snort-users] logging traffic
Date: Thu, 14 Aug 2003 09:01:38 +0200
Cc: zidan () popmail com, snort-users () lists sourceforge net

Hmmm,

on a Linux system - you can always create a definition for logrotate.
It might be tricki though if using dynamically created files. But if using =
a=20
Database backend, and only the Alert file in /var/log/snort/alert to be=20
rotated, the rule for logrotate would look like this on a Mandrake-9.1=20
system:
# cat /etc/logrotate.d/snortd=20
/var/log/snort/alert {
        sharedscripts
        rotate 5
        weekly
        postrotate
        /usr/bin/killall -HUP snortd #
        endscript
}

I Don't know if restarting the entire application is better or not - howeve=
r -=20
I think it should work :) Just testing it now.

Cheers

        Joerg

On Thursday 14 August 2003 02:16, Erek Adams wrote:

On Thu, 14 Aug 2003, Faiz Ahmad Shuja wrote:

Yes, I think you can. Anyone please correct if I am wrong. You can limit
file size by using unified output plugin.


Close, but not quite.  He wanted files to be rotated every time they
reached a certain size.  Unified doesn't do that.  The limit is the max
size of the file.  Once the size is reached, the file pointer wraps around
and starts filling up again from the 'front' of the file.  I think I've
heard things like that referred to as a 'circular file'.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

--=20
It is said that the lonely eagle flies to the mountain peaks while the lowly
ant crawls the ground, but cannot the soul of the ant soar as high as the=
=20
eagle?
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy () solsys org                (Home)|
| in Neuch=E2tel/Schweiz      :  smurphy () linux de                  (Alt1)|
| Stardust's LiNUX System   :  smurphy () net2000 ch                (Alt2)|
| Web: http://www.solsys.org:  Voice & Fax: +41(0)32 / 725 52 54       |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A



--__--__--

Message: 4
Subject: RE: [Snort-users] Snort rules updated?
Date: Thu, 14 Aug 2003 00:32:36 -0700
From: "Christopher Lyon" <cslyon () netsvcs com>
To: <CMartin () infosol com>,
        <erek () snort org>
Cc: <snort-users () lists sourceforge net>

It doesn't look like the DCOM rules are in the
../dl/snortrules-current.tar.gz or in the CVS tree. I am sure they will
get them in there but for now use what they have listed: =20


http://www.snort.org/snort-db/sid.html?sid=3D2192
http://www.snort.org/snort-db/sid.html?sid=3D2193

BTW, if you haven't pulled Oinkmaster down yet, that is a must, very
good tool for updating your sigs and to see what changes.



Good luck,




-----Original Message-----
From: CMartin () infosol com [mailto:CMartin () infosol com]
Sent: Wednesday, August 13, 2003 2:18 PM
To: erek () snort org
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort rules updated?
=20
Thanks Erek,  I'll join the mailing list to keep myself up to date on

the

sigs, and I like your idea for my own signatures.  But since I missed

the

email says whether the sigs are up to date with DCOM detection

ability.  I

was wondering if you can tell me if the rules are up to date?
=20
-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Wednesday, August 13, 2003 1:40 PM
To: CMartin () infosol com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort rules updated?
=20
On Wed, 13 Aug 2003 CMartin () infosol com wrote:
=20

    Just wanted to get the word when the official rule sets get

updated

with the rules to detect DCOM exploit as well as the worm associated

with

the exploit (mblaster.exe).  I like the idea of adding the rule

myself;

however, I wouldn't mind bringing my systems up to date by

downloading

the

rule sets with the new rules implemented.  I'm hoping the rule sets

that

are

on the site now are updated :)

=20
Join the snort-sigs mailing list.  It's been posted numerous times

over

the last few days.
=20
And as for adding rules yourself:  Create a "my.rules" and place your
rules in there.  Then whenever you auto update rules, that won't get
overwritten.  Be sure and add it to the include lines at the bottom of
snort.conf.
=20
Cheers!
=20
-----
Erek Adams
=20
   "When things get weird, the weird turn pro."   H.S. Thompson
=20
=20
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-
url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users




--__--__--

Message: 5
Date: Thu, 14 Aug 2003 00:57:27 -0700 (PDT)
From: pro0digy <losty21 () yahoo com>
To: Snort <snort-users () lists sourceforge net>
Subject: [Snort-users] Snort + acid + snortcenter

Hi All, 
I have a solution running with snort 2.01, acid and
snortcenter. 
I am trying to use snortcenter acid plugin, is there a
way that you can have multiple instance of acid into
snortcenter console. 
My problem is because of sheer volume of data I have
to run three seperate instances of acid console, with
three different databases.

Irfan 

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


--__--__--

Message: 6
Date: Thu, 14 Aug 2003 12:07:09 EEST
From: Mehmet Ersan TOPALOGLU <mersan () ceng metu edu tr>
Reply-To: "Mehmet Ersan TOPALOGLU" <mersan () ceng metu edu tr>
Subject: Re: [Snort-users] snort under high density traffic
To: snort-users () lists sourceforge net

Thanks for the comment but actually the things is not that iwon't to improve
my performance
using Snort. As i said in my first mail about this i am working on my MSc
Thesis. 
I am using Snort the make my tests and i need the statistics, __correct__
ones.
Here is two situation:

1. The one with default 2.420 kernel. Three PCs replay scnerios at 30Mbit/s
each, total traffic is 90Mbit/s.
    At the end. Snort reports to analyse around 200.000 packets out of
300.000 packets and dropping the rest.
    but /proc/net/dev says around 3.800.000 packets arrived and my scenrios
are about 1.600.000 packets
    each, totally 4.800.000 packets.

2. I made some modifications to kernel. replay scenerios and rates are the
same.
   Snort produces result  saying "Snort analysed 3.800.000 packets out of
7.400.000 packets dropping the rest.
   /proc/net/dev says 3.800.000 packets arrived to. I guess snort is able to
analyse all packets arrived but i don't know
   where the dropped packets come from. I am sure that no additional packets
(other than arp queries of switch that is at most
   2-3 thousand for each session _negligable_) arrive to the network.

The result are not only one time results. At least 20-25 times i tried and
the results are around the same values.
In first tries i was using snort v1.9 and libpcap v0.7 but after the advise
of Erek Adams i upgrade to snort 2.0.1 and patched verison of libpcap
0.8.

I hope i could explain the situation.

Thanks in advance


Hi,

Statistics are _really_ not working well in Snort 1.9.x. Don't beleive

them.

The kernel statistics are working well. You can trust them.

Maybe some former postings may help:

Is Snort loosing packets? What is the statistics saying? In Snort 2.0
the statistics seem to work good finally. Have you tried using
perfmonitor? How many packets is Snort "seeing"? Take off all the
machines and connect the tcpreplay-machine with the sensor with a
crossover cable. Don't worry, it will work. Try using more memory
on your sensor. Optimize your HD - Accoustic management off, UDMA5
transfer mode, 32Bit I/O-access, see hdparm --help. Try using 64Bit
machines. Try other NICs (3Com). Turn only unified logging on. Are you
using some IDS evasion techniques like insertion, fragmented packets,
fake resets or similar? Run as few processes on your sensor as
possible.


- Use powerful machines, memory is more important than CPU speed, 64Bit
  if possible/needed
- Reduce your ruleset as far as you can, use multiple sensors for
  different ports if you can, deactivate unnecessary rules going through
  every siingle file one by one one, use ~100 rules on machines with
  2GHz/512MBs RAM (approx value, my personal expirience, may vary)
- Use one sensor for HTTP/CGI only
- Log in unified format, use barnyard
- Deactivate unnecessary plugins (rpc, bo, portscan(1), asn, frag if
  sitting behind a Linux packet filter...)
- Marty said Snort 2 is approx 18x faster than Snort 1.9, try that
- Use Intel or 3Com NICs
- Seee this:


http://www.cs.ucsb.edu/~rsg/pub/2002_kruegel_valeur_vigna_kemmerer_secpriv02
.ps.gz

http://marc.theaimsgroup.com/?l=linux-net&m=92459447909270&w=2
- Experiment a lot

Have fun...

Regards,

Edin

-- 
Edin Dizdarevic


[..]

- mersan
  
  mersan () ceng metu edu tr
  mersan () cclub metu edu tr



--__--__--

Message: 7
From: "Ahmad Masood Shah" <jahil () 66-uetclub com>
To: "Faiz Ahmad Shuja" <faizshuja () yahoo it>,
        <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] SPAN port packet related
Date: Thu, 14 Aug 2003 15:24:14 +0500

ohh then what is the problem here with my setup. I have attached my border
router to switch 0/11. My border router traffic 500 Kbps in and 600 Kbps out
round about. I'm using Catalyst 3500 to mirror traffic for port 0/11 to SPAN
0/10.
but it's very strange for me IDS system traffic is not exceeding more than
40 Kbps or 70 Kbps. so If my border outer traffic is more than 500 K then my
IDS system traffic must be 500 K or more than that. logging is workign
properly on IDS for border router. I mean to say I can see traffic is coming
@ my IDS system via 0/11 port.

what could be wrong?

-- 

Best Regs,
Masood Ahmad Shah
System Administrator

^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
|   * * * * * * * * * * * * * * * * * * * * * * * *
|   Fibre Net (Pvt) Ltd. Lahore, Pakistan
|   Tel: +92-42-6677024
|   Mobile: +92-300-4277367
|   http://www.fibre.net.pk
|   * * * * * * * * * * * * * * * * * * * * * * * *
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

----- Original Message ----- 
From: "Faiz Ahmad Shuja" <faizshuja () yahoo it>
To: "'Ahmad Masood Shah'" <jahil () 66-uetclub com>;
<snort-users () lists sourceforge net>
Sent: Thursday, August 14, 2003 2:53 AM
Subject: RE: [Snort-users] SPAN port packet related


| A copy of all the traffic on port 0/11 and 0/12 will be sent on port
| 0/10 by switch. It will send "everything" coming on these ports.
|
| Regards,
| Faiz
|
|
| -----Original Message-----
| From: snort-users-admin () lists sourceforge net
| [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ahmad
| Masood Shah
| Sent: Wednesday, August 13, 2003 12:48 PM
| To: snort-users () lists sourceforge net
| Subject: [Snort-users] SPAN port packet related
|
|
| 0/12. SPAN port
| is 0/10. my 0/11 port data is upto 1 Mbps. My question is that when
| switch will send packet information to my IDS via SPAN port  it will
| redirect all traffic or it will send simple packet header to IDS sensor.
|
| -- 
|
| Best Regs,
| Masood Ahmad Shah
|
|
|
| -------------------------------------------------------
| This SF.Net email sponsored by: Free pre-built ASP.NET sites including
| Data Reports, E-commerce, Portals, and Forums are available now.
| Download today and enter to win an XBOX or Visual Studio .NET.
| http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
| /01
| _______________________________________________
| Snort-users mailing list
| Snort-users () lists sourceforge net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users
|



--__--__--

Message: 8
From: "samwun" <samwun () hgcbroadband com>
To: <snort-users () lists sourceforge net>
Date: Thu, 14 Aug 2003 19:17:31 +0800
Subject: [Snort-users] Commercial sniffer


Dear all,

Can anyone suggest a commercial sniffer?


Thanks
Sam




--__--__--

Message: 9
Date: Thu, 14 Aug 2003 13:50:24 +0200
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Reply-To: edin.dizdarevic () interActive-Systems de
Organization: interActive Systems
To: Mehmet Ersan TOPALOGLU <mersan () ceng metu edu tr>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort under high density traffic



Mehmet Ersan TOPALOGLU wrote:
[...]

the results are around the same values. In first tries i was using snort

v1.9

and libpcap v0.7 but after the advise of Erek Adams i upgrade to snort

2.0.1

and patched verison of libpcap 0.8.


And how is it working now? You mean even _after_ upgrading to Snort 2 you
still
have the same, wrong statistics?

My experience is that the statistics in Snort 2 are quite reliable, in Snort
1.9
not. I may do some checks. As far as I can recall my Snort 1.9 tests, the
statistics were fine only if Snort did not loose any packets.

Are you able to share your tcpdump files you are using with tcpreplay so I
can
test it with my 64bit machines?



I hope i could explain the situation.

Thanks in advance



Regards,

Edin

-- 
Edin Dizdarevic



--__--__--

Message: 10
From: Robert Perez <Robert.Perez () intercept net>
To: "Snort-Users (snort-users () lists sourceforge net)"
         <snort-users () lists sourceforge net>
Date: Wed, 13 Aug 2003 12:44:42 -0400
Subject: [Snort-users] Compiling BarnyRD

Hi all,

I am trying to compile barnyard and everytime I get the error "unable to
find mysql client libraries" .  I have installed the client and server
version of Mysql and have even pointed the
./configure...--with-mysql-libraries  to the appropriate directory but it
still fails..  ?? Please help


--__--__--

Message: 11
Date: Thu, 14 Aug 2003 07:55:06 -0400
From: Bennett Todd <bet () rahul net>
To: JP Vossen <vossenjp () netaxs com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] DCOM Snort Sigs


--jho1yZJdad60DJr+
Content-Type: multipart/mixed; boundary="OgqxwSJOaUobr8KG"
Content-Disposition: inline


--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

2003-08-14T01:37:04 JP Vossen:

2003-08-13T14:38:08-0700 Dragos Ruiu:

Counterpane has some useful snort sigs at:

http://www.counterpane.com/alert-v20030801-001.html

=20
True, but they are all just reposts from the Snort-Sigs list.
They are all nicely in one place though...


I must have missed most of 'em. I've been trying to collect every
distinct sig I've seen posted, and the only ones on that counterpane
page that I'd had in my collection were the two "official" snort db
ones, sids 2192 and 2193.

I attach my collection as it stands at this point.

NB I had to tear the "references:" out of a couple of 'em, they were
gagging my snort and I couldn't figure out why.

-Bennett

--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="local.rules"

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
ISystemActivator bind attempt"; flow:to_server,established; content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00
00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352;
classtype:attempted-admin; sid:2192; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
ISystemActivator bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26
00|";distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
nocase; distance:5; within:12; content:"|05|"; distance:0; within:1;
content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative;content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00
00 00 46|"; distance:29; within:16;
reference:cve,CAN-2003-0352;classtype:attempted-admin; sid:2193; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DCE RPC Interface Buffer
Overflow Exploit"; content:"|00 5C 00 5C|"; content:!"|5C|"; within:32;
flow:to_server,established; reference:bugtraq,8205; rev: 1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"DCE RPC Interface Buffer
Overflow Exploit"; content:"|00 5C 00 5C|"; content:!"|5C|"; within:32;
flow:to_server,established; reference:bugtraq,8205; rev: 1; )
alert udp $EXTERNAL_NET any -> $HOME_NET  69 (sid: 1000024; rev: 3; msg:
"W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78
65|"; offset: 0; depth: 2; classtype: trojan-activity; priority: 1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (sid: 1000025; rev: 4; msg:
"W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|";
offset: 0; depth: 2; classtype: trojan-activity; priority: 1;)
alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC
System Shell Exploit Response"; flow:from_server,established; content:"|3a
5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)
alert tcp any 3333 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC
System Shell Exploit Response"; flow:from_server,established; content:"|3a
5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)
alert tcp any any -> any 135:139 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to
135-139"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0
16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00
00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02
00 00 00|";
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101000; rev:1;)
alert tcp any any -> any 445 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to 445";
content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00
00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00
46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00
00|";
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101001; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100001;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100001; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100002;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100002; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100003;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100003; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100004;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100004; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100005;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100005; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100006;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100006; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|";
classtype:attempted-admin; sid:1100007;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100007; rev:1;)

--OgqxwSJOaUobr8KG--

--jho1yZJdad60DJr+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/O3iaHZWg9mCTffwRAg29AKC80pcnLMyH9uvcZoIeqiG9yPktIwCgjnVP
BJ/CcgIWiatCnvWZupsOFcE=
=WJVz
-----END PGP SIGNATURE-----

--jho1yZJdad60DJr+--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: