Snort mailing list archives

MS03-043

From: "Jeremy Junginger" <jj () act com>
Date: Wed, 22 Oct 2003 07:38:08 -0700

Have any of you written a signature for the exploits outlined for MS03-043?

References:
http://www.securityfocus.com/bid/8826
http://www.securityfocus.com/data/vulnerabilities/exploits/MS03-043_poc.c
http://www.securityfocus.com/data/vulnerabilities/exploits/ms03-043.c

I was thinking something like:

alert udp any any -> $HOME_NET 135 (msg:"MS03-043 Messenger Overflow
Attempt"; content:"|1414 1414 1414 1414 1414|"; reference:cve,CAN-2003-0717;
classtype:attempted-admin;)

Does that look like a viable signature based on the POC?  Also, is it
syntactically accurate?  If you'd like to look over a packet capture produced
by the poc code, I'd be happy to send it along...

TIA


This e-mail message and all attachments transmitted with it may be confidential 
and are intended solely for the addressee(s). If you are not the intended recipient
or the person responsible for delivering it to the intended recipient, you are
hereby notified that any reading, dissemination, distribution, copying, or other 
use of this message or its attachment(s) is strictly prohibited.  If you receive 
this email in error, please immediately notify the sender of the message or 
Best Software, Inc. by e-mailing postmaster () bestsoftware com and destroy all copies 
of this message.  Best Software, for the protection of our internal systems and 
those of our customers, does block most email attachments.



-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MS03-043 Jeremy Junginger (Oct 22)
- <Possible follow-ups>
- RE: MS03-043 Adams, Samuel (contractor) (Oct 25)