Re: snort signature for W32/Blaster?

From: alex (ntnewsNOSPAM_at_hrz3.hrz.tu-darmstadt.de)
Date: 08/15/03 

Date: Fri, 15 Aug 2003 22:56:37 +0200

> posting you found a solution without posting the solution suxxx.
the solution i found is only for 2.0 and not my 1.8.4 - therefor the problem
is OPEN. sorry... if you have an idea - let me know.

this is for 2.0
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
ISystemActivator bind attempt"; flow:to_server,established; content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00
00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352;
classtype:attempted-admin; sid:2192; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
ISystemActivator bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase;
distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|";
distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00
00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16;
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1;)

Alex

Relevant Pages

  • Re: Pecos River, NM
    ... Is there a no tresspassing sign posted that I missed? ... gottten someones permission before posting? ... Therefor I have had no ...
    (rec.outdoors.fishing.fly)
  • Re: snort signature for W32/Blaster?
    ... alex wrote: ... snort.org search suxxx. ... posting you found a solution without posting the solution suxxx. ...
    (comp.os.linux.security)
Quantcast