RE: MS03-043

["Adams, Samuel (contractor)" <AdamsS () eur disa mil>]

I would add a sid and revision number (something like sid: 1000005; rev: 1).

Remember that all sids under 1,000,000 are reserved. Also it might not be a
bad 
idea to throw a size in there. Maybe dsize: >100? Should improve performance
if 
nothing else. If you can make more sense of the exploit code than I can you
can
probably come up with a better number. 

Do you have a packet capture of an exploit attempt? I'd like to see it if
you
wouldn't mind. Thanks,

Sam

-----Original Message-----
From: Jeremy Junginger [mailto:jj () act com]
Sent: Wednesday, October 22, 2003 2:38 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] MS03-043


Have any of you written a signature for the exploits outlined for MS03-043?

References:
http://www.securityfocus.com/bid/8826
http://www.securityfocus.com/data/vulnerabilities/exploits/MS03-043_poc.c
http://www.securityfocus.com/data/vulnerabilities/exploits/ms03-043.c

I was thinking something like:

alert udp any any -> $HOME_NET 135 (msg:"MS03-043 Messenger Overflow
Attempt"; content:"|1414 1414 1414 1414 1414|"; reference:cve,CAN-2003-0717;
classtype:attempted-admin;)

Does that look like a viable signature based on the POC?  Also, is it
syntactically accurate?  If you'd like to look over a packet capture
produced
by the poc code, I'd be happy to send it along...

TIA


This e-mail message and all attachments transmitted with it may be
confidential 
and are intended solely for the addressee(s). If you are not the intended
recipient
or the person responsible for delivering it to the intended recipient, you
are
hereby notified that any reading, dissemination, distribution, copying, or
other 
use of this message or its attachment(s) is strictly prohibited.  If you
receive 
this email in error, please immediately notify the sender of the message or 
Best Software, Inc. by e-mailing postmaster () bestsoftware com and destroy all
copies 
of this message.  Best Software, for the protection of our internal systems
and 
those of our customers, does block most email attachments.



-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users