lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <005901c35715$b08790b0$6500a8c0@THINKPAD>
From: security at jonbaer.net (Jon Baer)
Subject: DCOM RPC exploit IDS rule?

here are the snort rules that were posted to the list last week ...

alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100001;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100001; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100002;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100002; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100003;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100003; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100004;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100004; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100005;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;ref
erence:URL,jackhammer.org/rules/1100005; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100006;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100006; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|";
classtype:attempted-admin; sid:1100007;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100007; rev:1;)

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


----- Original Message ----- 
From: "Dave Killion" <Dkillion@...screen.com>
To: "'Joshua Thomas'" <JThomas@...eronemedia.com>;
<full-disclosure@...ts.netsys.com>
Sent: Wednesday, July 30, 2003 2:48 PM
Subject: RE: [Full-Disclosure] DCOM RPC exploit IDS rule?


> NetScreen IDP has it in this week's signature update, already out.
>
> When placed in in-line mode and with a rule set to 'drop connection' it
> denies the exploit before it reaches into the network.
>
> Sorry for the corporate plug, but someone asked.
>
> I'm not in Support, so I haven't heard from customers how active it is.
>
> I hope this information is helpful,
>
> Dave Killion
> Senior Security Engineer
> Security Group, NetScreen Technologies, Inc.
>
>
> -----Original Message-----
> From: Joshua Thomas [mailto:JThomas@...eronemedia.com]
> Sent: Wednesday, July 30, 2003 1:48 PM
> To: 'full-disclosure@...ts.netsys.com'
> Subject: [Full-Disclosure] DCOM RPC exploit IDS rule?
>
>
> Two questions:
> 1) Are there IDS rules out for the DCOM RPC exploit yet?
> 2) If so, how much activity in "the wild" has anyone seen on their IDS
> of choice for this exploit?
> Cheers,
> Joshua Thomas
> Network Operations Engineer
> PowerOne Media, Inc.
> tel: 518-687-6143
> jthomas@...eronemedia.com
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ