DCOM exploit snort signature

["jason" <insidious () cox net>]

Friends,

I was amused to see that a perfectly functional linux based DCOM 'sploit
has been available for a few hours now, conveniently drops a command
shell to listen on 4444/TCP ...

The goods are here:

http://www.derkeiler.com/Mailing-Lists/VulnWatch/2003-07/0055.html


I threw together this signature based upon the shellcode that it fired.
I don't know what kind of false positives it will yield, but it's a
start.

alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM";
content:"|93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF
2E 39 0B D7 3A|"; classtype:shellcode-detect; sid:6666; rev:1;)


Things could get interesting soon...  :(

jason.b.anderson[at]cox[dot]net






-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users