Snort rule
Results 1 to 2 of 2

Thread: Snort rule

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    188

    Snort rule

    I need a snort rule for the MS blaster worms and its variants. I tried it on my own but no success

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    This claims to work..... But I can't test it 'cos I don't have the worm...... ;)

    alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"DCE RPC Interface Buffer Overflow exploit"; content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; flow:to_server,established; reference: bugtraq,8205; rev: 1; )

    This alerts on an infected PC attempting to infect other PC's. You might want to change the $EXTERNAL_NET to any in case a machine works on the internal network.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •