|
|
Symantec port 2967 sig: msg#00080security.ids.snort.bleedingsnort
alert tcp any any -> $HOME_NET 2967:2968 (msg:"BLEEDING-EDGE EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; distance:0; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; classtype:attempted-admin; sid:2003250; rev:1; ) Should do the trick. Details are tough to find, but the eeye advisory gave enough info to get a sig out. The data type set is 0x10, then the 0x24 string type, then a \ in the string (0x5c) and a body larger than 380 bytes sets up the exploit. Should be pretty reliable... But please test and let me know!! Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | What is the list policy on posting binaries ? and a suggestion for a wiki.: 00080, Russell Fulton |
|---|---|
| Next by Date: | Re: Rule Load Formula: 00080, Martin Holste |
| Previous by Thread: | What is the list policy on posting binaries ? and a suggestion for a wiki.i: 00080, Russell Fulton |
| Next by Thread: | WMF Exploit Sig: 00080, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |