2192.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
2192

--
Summary:
This rule no longer generates an event when an attempt is made to exploit a known 
vulnerability in Microsoft RPC DCOM.

--
Impact:
Execution of arbitrary code leading to full administrator access of the 
machine. Denial of Service (DoS).

--
Detailed Information:
This rule now uses flowbits and can be set to generate an event by
modifying the rule slightly to remove the "flowbits:no_alert;" option.
When traffic is detected that attempts to bind to the ISystemActivator
object in MS RPC DCOM communications this rule now activates sids 2351
and 2352 to detect exploits against this service. Cool huh?

A vulnerability exists in Microsoft RPC DCOM such that execution of 
arbitrary code or a Denial of Service condition can be issued against a 
host by sending malformed data via RPC.

The Distributed Component Object Model (DCOM) handles DCOM requests sent
by clients to a server using RPC. A malformed request to an RPC port 
will result in a buffer overflow condition that will present the 
attacker with the opportunity to execute arbitrary code with the 
privileges of the local system account.

This vulnerability is also exploited by the Billy/Blaster worm. The worm
also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
number of events generated by this rule may indicate worm activity.

--
Affected Systems:
	Windows NT 4.0
	Windows NT 4.0 Terminal Server Edition
	Windows 2000
	Windows XP
	Windows Server 2003

--
Attack Scenarios:
An attacker may make a request for a file with an overly long filename 
via a network share.

--
Ease of Attack:
Simple. Expoit code exists. This is also exploited by a worm.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply the appropriate vendor supplied patches.

Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
protocols from external sources using a packet filtering firewall.

Block access to port 69 used by the worm to propogate.

Block access to port 4444 used by the worm.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

--