Snort mailing list archives
Re: Microsoft DCOM RPC Worm Alert
From: Brian <bmc () snort org>
Date: Thu, 28 Aug 2003 11:24:15 -0400
On Tue, Aug 12, 2003 at 11:56:26AM -0400, David wrote:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \ (msg:"DCE RPC Interface Buffer Overflow Exploit"; \ content:"|00 5C 00 5C|"; \ content:!"|5C|"; within:32;\ flow:to_server,established; \ reference:bugtraq,8205; rev: 1;)
This rule is easily evadable. Sure, the vulnerability is predicated by an overly long path. That doesn't mean the service validates the path before it attempts to deal with it. Take any of the exploits and change the path from \\[lotsocrap]\C$\123456111111111111111.doc to random crap and it will still crash the service. -brian ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Microsoft DCOM RPC Worm Alert IntegPatchMgr (Aug 12)
- <Possible follow-ups>
- RE: Microsoft DCOM RPC Worm Alert Slighter, Tim (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Sam Evans (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Simon Gray (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Bruno Saverio Delbono (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Robert Reid (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Erek Adams (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert David (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Brian (Aug 28)
- RE: Microsoft DCOM RPC Worm Alert Esler, Joel Contractor (Aug 13)
- RE: Microsoft DCOM RPC Worm Alert John Creegan (Aug 13)