Snort mailing list archives
RE: MS03-043
From: "Adams, Samuel (contractor)" <AdamsS () eur disa mil>
Date: Thu, 23 Oct 2003 15:54:55 -0000
I would add a sid and revision number (something like sid: 1000005; rev: 1). Remember that all sids under 1,000,000 are reserved. Also it might not be a bad idea to throw a size in there. Maybe dsize: >100? Should improve performance if nothing else. If you can make more sense of the exploit code than I can you can probably come up with a better number. Do you have a packet capture of an exploit attempt? I'd like to see it if you wouldn't mind. Thanks, Sam -----Original Message----- From: Jeremy Junginger [mailto:jj () act com] Sent: Wednesday, October 22, 2003 2:38 PM To: snort-users () lists sourceforge net Subject: [Snort-users] MS03-043 Have any of you written a signature for the exploits outlined for MS03-043? References: http://www.securityfocus.com/bid/8826 http://www.securityfocus.com/data/vulnerabilities/exploits/MS03-043_poc.c http://www.securityfocus.com/data/vulnerabilities/exploits/ms03-043.c I was thinking something like: alert udp any any -> $HOME_NET 135 (msg:"MS03-043 Messenger Overflow Attempt"; content:"|1414 1414 1414 1414 1414|"; reference:cve,CAN-2003-0717; classtype:attempted-admin;) Does that look like a viable signature based on the POC? Also, is it syntactically accurate? If you'd like to look over a packet capture produced by the poc code, I'd be happy to send it along... TIA This e-mail message and all attachments transmitted with it may be confidential and are intended solely for the addressee(s). If you are not the intended recipient or the person responsible for delivering it to the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachment(s) is strictly prohibited. If you receive this email in error, please immediately notify the sender of the message or Best Software, Inc. by e-mailing postmaster () bestsoftware com and destroy all copies of this message. Best Software, for the protection of our internal systems and those of our customers, does block most email attachments. ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS03-043 Jeremy Junginger (Oct 22)
- <Possible follow-ups>
- RE: MS03-043 Adams, Samuel (contractor) (Oct 25)