alert tcp any any -> any 1024: (msg:"BLEEDING-EDGE
CURRENT EVENTS
Vulnerable DNS RPC Bind"; flow:to_server,established;
content:"|a4
c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|";
flowbits:set,BE.ms.dns.rpc;
reference:url,doc.bleedingthreats.net/bin/view/Main/MSRpcDns
;
sid:2003592; rev:1;)
alert tcp any any -> any 1024: (msg:"BLEEDING-EDGE
CURRENT EVENTS DNS
RPC Exploit (specific to Metasploit Module)";
flow:to_server,established; flowbits:isset,BE.ms.dns.rpc;
content:"|05|"; depth:1; content:"|10|";
distance:3; within:1;
content:"|01 00|"; distance
:17; within:2;
reference:url,doc.bleedingthreats.net/bin/view/Main/MSRpcDns
;
sid:2003593; rev:1;)
alert tcp any any -> any 1024: (msg:"BLEEDING-EDGE
CURRENT EVENTS DNS
RPC Exploit big endian (specific to Metasploit
Module)";
flow:to_server,established; flowbits:isset,BE.ms.dns.rpc;
content:"|05|"; depth:1; content:"|00|";
distance:3; within:1;
content:"|00 01|"; distance:17; within:2;
reference:url,doc.bleedingthreats.net/bin/view/Main/MSRpcDns
; sid:2003594;)
The first sig is just for a bind of the specific vulnerable
rpc. The
second two are specific to the metasploit module.
There are a lot of other options, but if you're seeing rpc
binds from
outside your net, or from unknown boxes, you've got
trouble.
More as we get it. This is a very complex one to sig.
Matt
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthr
eats.net
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
