Re: DCOM RPC exploit IDS rule?

["Jon Baer" <security () jonbaer net>]

here are the snort rules that were posted to the list last week ...

alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100001;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100001; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100002;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100002; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100003;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100003; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin;
sid:1100004;reference:URL,www.microsoft.com/security/security_bulletins/ms03
-026.asp;reference:URL,jackhammer.org/rules/1100004; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100005;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;ref
erence:URL,jackhammer.org/rules/1100005; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100006;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100006; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting Windows
XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|";
classtype:attempted-admin; sid:1100007;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100007; rev:1;)

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


----- Original Message ----- 
From: "Dave Killion" <Dkillion () netscreen com>
To: "'Joshua Thomas'" <JThomas () poweronemedia com>;
<full-disclosure () lists netsys com>
Sent: Wednesday, July 30, 2003 2:48 PM
Subject: RE: [Full-disclosure] DCOM RPC exploit IDS rule?


> NetScreen IDP has it in this week's signature update, already out.
>
> When placed in in-line mode and with a rule set to 'drop connection' it
> denies the exploit before it reaches into the network.
>
> Sorry for the corporate plug, but someone asked.
>
> I'm not in Support, so I haven't heard from customers how active it is.
>
> I hope this information is helpful,
>
> Dave Killion
> Senior Security Engineer
> Security Group, NetScreen Technologies, Inc.
>
>
> -----Original Message-----
> From: Joshua Thomas [mailto:JThomas () poweronemedia com]
> Sent: Wednesday, July 30, 2003 1:48 PM
> To: 'full-disclosure () lists netsys com'
> Subject: [Full-disclosure] DCOM RPC exploit IDS rule?
>
>
> Two questions:
> 1) Are there IDS rules out for the DCOM RPC exploit yet?
> 2) If so, how much activity in "the wild" has anyone seen on their IDS
> of choice for this exploit?
> Cheers,
> Joshua Thomas
> Network Operations Engineer
> PowerOne Media, Inc.
> tel: 518-687-6143
> jthomas () poweronemedia com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html