Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian

from [Nigel Houghton] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276
Date: Thu, 30 Jun 2005 22:17:35 -0400 
On  0, Russell Fulton <r.fulton@auckland.ac.nz> allegedly wrote:



Joel Esler wrote:

Are you sure this is a false positive?  The Signature is lookin for  the 
little endian bind in RPC..  This looks to be that.



Hi Joel,
      Thanks for checking this out. I freely admit I would not reconise 
      a "little endian bind in RPC" if it danced naked in front of me 
      singing "Waltzing Matilda" :) as one of my colleagues used to say 
      -- usually in reference to managers.

I do know that this is legit traffic, and since this rule does not have 
any documentation that I can find I'm at a loss to know what to make of 
it.  I may as well disable the rule. AFAIK both machines are windows 
boxes. 
Russell.


First, a real packet capture sent to research at sourcefire.com or any one 
of us on the VRT would certainly help tune the rule if it is a false
positive.

Now, not to beat everyone who "can't find documentation" over the head with
this, but it's getting old...

 # cd /path/to/snort/source/snort/doc/signatures
 # less 3276.txt

 <snip>

 Summary:
 This rule generates an event when an attempt is made to exploit a known
 vulnerability in Microsoft RPC DCOM.

 --
 Impact:
 Execution of arbitrary code leading to full administrator access of the
 machine. Denial of Service (DoS).

 --
 Detailed Information:
 A vulnerability exists in Microsoft RPC DCOM such that execution of 
 arbitrary code or a Denial of Service condition can be issued against a
 host by sending malformed data via RPC.

 The Distributed Component Object Model (DCOM) handles DCOM requests
 sent by clients to a server using RPC. A malformed request to an RPC 
 port will result in a buffer overflow condition that will present the 
 attacker with the opportunity to execute arbitrary code with the 
 privileges of the local system account.

 --
 Affected Systems:
        Windows NT 4.0
        Windows NT 4.0 Terminal Server Edition
        Windows 2000
        Windows XP
        Windows Server 2003

 <snip>

If it's not on snort.org, tell us about that too, we can probably fix
it.

__EOT__

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Matthew Watchinski
Next by Date:  [Snort-sigs] First Meeting of the Open Source Snort Rules Consortium (OSSRC), Jennifer Steffens
Previous by Thread:  Re: [Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276, Russell Fulton
Next by Thread:  [Snort-sigs] First Meeting of the Open Source Snort Rules Consortium (OSSRC), Jennifer Steffens
Indexes:  [Date] [Thread] [Top] [All Lists]