I wrote some earlier today and sent them over to the snort signatures list. In my eyes the signatures are still Alpha, they seem to pick up all of the options out of dcom.c really well. I have yet to see a false positive or negative. I am looking for feedback though, so if you use them and find false results in either direction, please let me know so that I can improve the rules. http://jackhammer.org/rules/dcom.rules Use either 1100001 - 1100007 or 1100008, if used in conjunction 8 will override 1-7. I wrote 8 for those who just want to know it is going on but don't care specifically what is being attempted, the other rule sets will tell you down to the SP what attack is being attempted. Be warned with 8, it is very dependant on the dcom.c version of the code. The other 7 are a little more flexible. Read the documentation referenced in the rules for more info. Thanks, Paul Tinsley -----Original Message----- From: Eric Appelboom [mailto:ericat_private] Sent: Sunday, July 27, 2003 12:42 PM To: Compton, Rich; incidentsat_private Yes exploits have been released (source code) and win32 compilied binaries. A worm is expected soon see full-disclosure tread. Happy patching Any1 with snort sig? -----Original Message----- From: Compton, Rich [mailto:RComptonat_private] Sent: 25 July 2003 09:46 PM To: incidentsat_private FYI, ISPs are reporting a dramatic increase in traffic on TCP port 135. No exploit code has been captured as of yet but the increase in traffic on this port probably indicates that exploit code is being executed! Block ports 135 through 139 and 445! More info: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti n/MS 03-026.asp -Rich Compton ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 09:36:55 PDT