Snort signature and standalone detection tool

Published: 2005-10-21
Last Updated: 2005-10-21 21:29:10 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
(Kyle Haugsness)  As promised, here is a Snort signature to detect exploit attempts against the Back Orifice pre-processor vulnerability announced this week.  There is a fatal flaw with this signature, which will reduce its overall effectiveness when the attackers get smarter.  But I'm not going to disclose the fatal flaw.  In order to avoid the fatal flaw and detect all attacks, you will need to run the standalone program that is available here: http://handlers.sans.org/khaugsness/

Here's the Snort signature.  Don't forget to turn off the BO pre-processor in snort.conf if you are running a vulnerable version!  Also, don't forget to change the "sid" field below...

alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
rev:1; \
)



Keywords:
0 comment(s)
Diary Archives