Snort mailing list archives
RE: Microsoft DCOM RPC Worm Alert
From: "David" <dwad24 () excite com>
Date: Tue, 12 Aug 2003 11:56:26 -0400 (EDT)
Hey Robert, This is a wild stab in the dark, so someone correct me if I err... my guess would be that the slashes "\" have characters after them. (which may be because of email formatting or something, so disregard if that's the case) A slash in Unix land tells a shell that a command continues on to the next line, and in order for that to work, you cannot have anything after thos slashes except a carriage return. I am guessing that snort rules may be modeled after that concept. :) (I hope) try putting everything after slashes on a new line. e.g. your rule below would look like this: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \ (msg:"DCE RPC Interface Buffer Overflow Exploit"; \ content:"|00 5C 00 5C|"; \ content:!"|5C|"; within:32;\ flow:to_server,established; \ reference:bugtraq,8205; rev: 1;) hope that works out! Dave
What did I do wrong with this rule? Snort refuses to run it. Error found at line 1543: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \ (msg:"DCE RPC >Interface Buffer Overflow Exploit"; \ content:"|00 5C 00 5C|"; \ >content:!"|5C|"; within:32; \ flow:to_server,established; \ reference:bugtraq,8205; >rev: 1;)
-----Original Message----- From: IntegPatchMgr [mailto:IntegPatchMgr () infosys com] Sent: Tuesday, August 12, 2003 7:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Microsoft DCOM RPC Worm Alert Hi, You can find snort sign for Microsoft DCOM RPC Worm at https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd f Regards Shivabasu ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Eliminate pop-ups before they appear! Visit www.PopSwatter.com now - It's FREE. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Microsoft DCOM RPC Worm Alert IntegPatchMgr (Aug 12)
- <Possible follow-ups>
- RE: Microsoft DCOM RPC Worm Alert Slighter, Tim (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Sam Evans (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Simon Gray (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Bruno Saverio Delbono (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Robert Reid (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Erek Adams (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert David (Aug 12)
- Re: Microsoft DCOM RPC Worm Alert Brian (Aug 28)
- RE: Microsoft DCOM RPC Worm Alert Esler, Joel Contractor (Aug 13)
- RE: Microsoft DCOM RPC Worm Alert John Creegan (Aug 13)