Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Snort Sig for MS06-040 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snort Sig for MS06-040
The US-CERT shared the following Snort signature with us today.  This is for the MS06-040 vulnerability and may not match some of the public exploits discussed in an earlier diary.  If this signature alerts, please let us know via the contact form.

alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  classtype:malicious-activity; sid:1000003; rev:1;)

Note that the RPC_PORTS is a placeholder for 135, 139, 445.


Russ wrote us with some additional ideas:

In order to make the US-CERT rule work I had to do as follows:

Add to snort.conf under network variable:

# Placeholder for 135, 139, 445
var RPC_PORTS 135
var RPC_PORTS 139
var RPC_PORTS 445

Add to classification.config under NEW CLASSIFICATIONS:

config classification: malicious-activity,Malicious Activity,2

Then I dropped that actual rule in rpc.rules.

Thanks, Russ!!

Marcus H. Sachs
SRI International
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Aug 11th 2006

Sign Up for Free or Log In to start participating in the conversation!