Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 081119.html (Request Expert snort.org Support)

[Snort-sigs] More DCOM sigs

From: JP Vossen <vossenjp(at)netaxs.com>
Date: Fri Aug 01 2003 - 14:38:25 EDT

At least for dcom.c and dcom48.c, the first thing it seems to do after establishing a session is send bindstr:

C:\tmp> grep bindstr dcom*.c
dcom.c:unsigned char bindstr[]={
dcom.c: if (send(sock,bindstr,sizeof(bindstr),0)== -1) dcom48.c:unsigned char bindstr[]={
dcom48.c: if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){

So doesn't it make sense to look for that? I wrote a couple of quick sigs, and they worked in my (limited) testing... I know Brian has released
"official" rules, but I admit I'm not 100% sure why he did it the way he did.

Am I missing something here? Please CC: me on replies, as I get the digest of this list.

  • Cut Here ---

alert tcp any any -> any 135:139 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to 135-139"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00|";
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101000; rev:1;)

alert tcp any any -> any 445 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to 445"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00|"; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101001; rev:1;)

  • Cut Here ---

Thanks,
JP 

------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       
http://www.jpsdomain.org/
------------------------------|=========|--------------------------------

"The software said it requires Windows XP or better, so I installed
Linux..."

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Aug 1 15:21:15 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:33 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library