Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 071097.html (Request Expert snort.org Support)

RE: [Snort-sigs] DCOM MS03-026 Alpha Rules

From: Paul Tinsley <pdt(at)jackhammer.org>
Date: Tue Jul 29 2003 - 00:57:26 EDT


I have no idea what my web mail client did to those poor signatures but here goes again from a real client as an attachment.

And if that doesn't work here is a link: http://jackhammer.org/rules/dcom.rules

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net [mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of pdt@jackhammer.org
Sent: Monday, July 28, 2003 8:54 PM
To: snort-sigs@lists.sourceforge.net

Hey guys,

    I came up with these a little while ago and at least with the dcom.c that is freely available this seems to catch each variation pretty well. I am wondering about false positives and other variations. I would appreciate some testing of these rules if anybody is up for it :) Any feedback would be greatly appreciated. A few minutes ago I saw an 18 target version of the exploit floating around, but don't have time to test it, maybe tomorrow.

Thanks,

    Paul Tinsley

P.S. - There is some documentation at the jackhammer.org reference.

Do you need help?X

Each of the target (English) platforms:
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 

classtype:attempted-admin; sid:1100001;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100001; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100002;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100002; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100003;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100003; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100004;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100004; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100005;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100005; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100006;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100006; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|"; 
classtype:attempted-admin; sid:1100007;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100007; rev:1;)

A more "generic" rule to try and catch variations that might affect other language platforms and opcodes not currently known. Not too sure how well this one will work out in the long run, but am giving it out for those who might want it, instead of 7 rules: alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) generic dcom.c rule"; content:"|5c 00 5c 00 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00|"; content: "|77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100008;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/snort/rules/1100008; rev:1;)


This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Received on Tue Jul 29 02:05:38 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:33 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library