lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <005901c35715$b08790b0$6500a8c0@THINKPAD> From: security at jonbaer.net (Jon Baer) Subject: DCOM RPC exploit IDS rule? here are the snort rules that were posted to the list last week ... alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100001;reference:URL,www.microsoft.com/security/security_bulletins/ms03 -026.asp;reference:URL,jackhammer.org/rules/1100001; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100002;reference:URL,www.microsoft.com/security/security_bulletins/ms03 -026.asp;reference:URL,jackhammer.org/rules/1100002; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100003;reference:URL,www.microsoft.com/security/security_bulletins/ms03 -026.asp;reference:URL,jackhammer.org/rules/1100003; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100004;reference:URL,www.microsoft.com/security/security_bulletins/ms03 -026.asp;reference:URL,jackhammer.org/rules/1100004; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows 2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100005; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;ref erence:URL,jackhammer.org/rules/1100005; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|"; classtype:attempted-admin; sid:1100006; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100006; rev:1;) alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|"; classtype:attempted-admin; sid:1100007; reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp; reference:URL,jackhammer.org/rules/1100007; rev:1;) - jon pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 ----- Original Message ----- From: "Dave Killion" <Dkillion@...screen.com> To: "'Joshua Thomas'" <JThomas@...eronemedia.com>; <full-disclosure@...ts.netsys.com> Sent: Wednesday, July 30, 2003 2:48 PM Subject: RE: [Full-Disclosure] DCOM RPC exploit IDS rule? > NetScreen IDP has it in this week's signature update, already out. > > When placed in in-line mode and with a rule set to 'drop connection' it > denies the exploit before it reaches into the network. > > Sorry for the corporate plug, but someone asked. > > I'm not in Support, so I haven't heard from customers how active it is. > > I hope this information is helpful, > > Dave Killion > Senior Security Engineer > Security Group, NetScreen Technologies, Inc. > > > -----Original Message----- > From: Joshua Thomas [mailto:JThomas@...eronemedia.com] > Sent: Wednesday, July 30, 2003 1:48 PM > To: 'full-disclosure@...ts.netsys.com' > Subject: [Full-Disclosure] DCOM RPC exploit IDS rule? > > > Two questions: > 1) Are there IDS rules out for the DCOM RPC exploit yet? > 2) If so, how much activity in "the wild" has anyone seen on their IDS > of choice for this exploit? > Cheers, > Joshua Thomas > Network Operations Engineer > PowerOne Media, Inc. > tel: 518-687-6143 > jthomas@...eronemedia.com >
Powered by blists - more mailing lists