The US-CERT shared the following Snort signature with us today. This is for the MS06-040 vulnerability and may not match some of the public exploits discussed in an earlier diary. If this signature alerts, please let us know via the contact form.
alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |"; classtype:malicious-activity; sid:1000003; rev:1;) Note that the RPC_PORTS is a placeholder for 135, 139, 445. UPDATE Russ wrote us with some additional ideas: In order to make the US-CERT rule work I had to do as follows: Add to snort.conf under network variable: # Placeholder for 135, 139, 445 var RPC_PORTS 135 var RPC_PORTS 139 var RPC_PORTS 445 Add to classification.config under NEW CLASSIFICATIONS: config classification: malicious-activity,Malicious Activity,2 Then I dropped that actual rule in rpc.rules. Thanks, Russ!! Marcus H. Sachs SRI International Director, SANS Internet Storm Center |
Marcus 301 Posts ISC Handler Aug 11th 2006 |
Thread locked Subscribe |
Aug 11th 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!