-
September 2nd, 2003, 08:19 AM
#1
Snort rule
I need a snort rule for the MS blaster worms and its variants. I tried it on my own but no success
-
September 2nd, 2003, 12:57 PM
#2
This claims to work..... But I can't test it 'cos I don't have the worm...... ;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"DCE RPC Interface Buffer Overflow exploit"; content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; flow:to_server,established; reference: bugtraq,8205; rev: 1; )
This alerts on an infected PC attempting to infect other PC's. You might want to change the $EXTERNAL_NET to any in case a machine works on the internal network.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|