Hosting Provided By

RE: [Snort-sigs] DCom RPC attack response sig

From: Michael Anuzis <michael_anuzis(at)hotmail.com>
Date: Tue Aug 05 2003 - 19:41:40 EDT

The any - 4444 rule will only work via the Windows based exploit that opens the shell on port 4444 to netcat to. It won't work for the UNIX variant. Also, now that the script-kids have supposedly switched their port from 4444 to 3333 it would be a good idea to use the any any as suggested.

One small typo that may want to get corrected before the rules are added to the list would be in the first rule:
Responce --> Response

Michael Anuzis, CCNA
Network Security Consultant
CTO, Anuzis Networking Inc.

>From: "Esler, Joel Contractor" <joel.esler@rcert-s.army.mil>
>To: "'snort-sigs@lists.sourceforge.net'" <snort-sigs@lists.sourceforge.net>
>Subject: RE: [Snort-sigs] DCom RPC attack response sig

The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Aug 5 20:17:58 2003

This message: [ Message body ]
Next message: Peter Millington: "[Snort-sigs] RESERVED IP and Broadcast address"
Previous message: Burak DAYIOGLU: "[Snort-sigs] [Fwd: Re: [Dragonidsuser] W32/Mimail Signature]"
Maybe in reply to: Michael Anuzis: "[Snort-sigs] DCom RPC attack response sig"
In reply to Esler, Joel Contractor: "RE: [Snort-sigs] DCom RPC attack response sig"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:33 EDT