Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Snort Sig for MS06-040 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snort Sig for MS06-040
The US-CERT shared the following Snort signature with us today.  This is for the MS06-040 vulnerability and may not match some of the public exploits discussed in an earlier diary.  If this signature alerts, please let us know via the contact form.

alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  classtype:malicious-activity; sid:1000003; rev:1;)

Note that the RPC_PORTS is a placeholder for 135, 139, 445.

UPDATE

Russ wrote us with some additional ideas:

In order to make the US-CERT rule work I had to do as follows:

Add to snort.conf under network variable:

# Placeholder for 135, 139, 445
var RPC_PORTS 135
var RPC_PORTS 139
var RPC_PORTS 445

Add to classification.config under NEW CLASSIFICATIONS:

config classification: malicious-activity,Malicious Activity,2

Then I dropped that actual rule in rpc.rules.

Thanks, Russ!!


Marcus H. Sachs
SRI International
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!