Snort mailing list archives
MS03-043
From: "Jeremy Junginger" <jj () act com>
Date: Wed, 22 Oct 2003 07:38:08 -0700
Have any of you written a signature for the exploits outlined for MS03-043? References: http://www.securityfocus.com/bid/8826 http://www.securityfocus.com/data/vulnerabilities/exploits/MS03-043_poc.c http://www.securityfocus.com/data/vulnerabilities/exploits/ms03-043.c I was thinking something like: alert udp any any -> $HOME_NET 135 (msg:"MS03-043 Messenger Overflow Attempt"; content:"|1414 1414 1414 1414 1414|"; reference:cve,CAN-2003-0717; classtype:attempted-admin;) Does that look like a viable signature based on the POC? Also, is it syntactically accurate? If you'd like to look over a packet capture produced by the poc code, I'd be happy to send it along... TIA This e-mail message and all attachments transmitted with it may be confidential and are intended solely for the addressee(s). If you are not the intended recipient or the person responsible for delivering it to the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachment(s) is strictly prohibited. If you receive this email in error, please immediately notify the sender of the message or Best Software, Inc. by e-mailing postmaster () bestsoftware com and destroy all copies of this message. Best Software, for the protection of our internal systems and those of our customers, does block most email attachments. ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS03-043 Jeremy Junginger (Oct 22)
- <Possible follow-ups>
- RE: MS03-043 Adams, Samuel (contractor) (Oct 25)