The US-CERT shared the following Snort signature with us today. This is for the MS06-040 vulnerability and may not match some of the public exploits discussed in an earlier diary. If this signature alerts, please let us know via the contact form.
alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |"; classtype:malicious-activity; sid:1000003; rev:1;)
Note that the RPC_PORTS is a placeholder for 135, 139, 445.
Russ wrote us with some additional ideas:
In order to make the US-CERT rule work I had to do as follows:
Add to snort.conf under network variable:
# Placeholder for 135, 139, 445
var RPC_PORTS 135
var RPC_PORTS 139
var RPC_PORTS 445
Add to classification.config under NEW CLASSIFICATIONS:
config classification: malicious-activity,Malicious Activity,2
Then I dropped that actual rule in rpc.rules.
Marcus H. Sachs
Director, SANS Internet Storm Center
Aug 11th 2006
1 decade ago