Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MSDTC Vulnerability Rule?

From: Brian <bmc () snort org>
Date: Wed, 6 Feb 2002 18:17:08 -0500
According to John:

Hello Eric,

  With the limited details of this bug I came up with a simple rule. It will
(as usual) require some work from the IDS analysis.

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"Possible MSDTC DoS";
flags: A+; dsize: >1024; reference:bugtraq,4006; classtype:attempted-dos;)


God sig, except according to SecurityFocus's bugtraq database the dos
can be accomplishedby using 1024 bytes or more of random data.  When I
get a chance to commit it to CVS, the sig will be like below.  

alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"EXPERIMENTAL MSDTC DoS"; flags:A+; dsize:>1023; 
reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:1;)

-brian


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: