Re: sensor not detecting msrpc_dcom_ms03_026

darin.marais · ‎06-30-2006

Metasploit framework console version 1.99 contains an exploit for msrpc_dcom_ms03_026. (Microsoft RPC DCOM MSO3-026). I have set up a lab to see the alarms that would be triggered when this tool is used to attack a remote host

The exploit is not detected by a Cisco Intrusion Prevention System, Version 5.1(1p1)S232.0

The sensor sees the packets with the command packet display <int> but no alerts are triggered.

I have checked that there are no filters and that all the signatures for dcom are enabled. The snort sensor that is running in parallel has no problem alerting.

Could someone tell me if I have missed a step or is this genuine false negative?

If someone from Cisco is willing to help troubleshoot the problem I will send the pcap file as captured from the Cisco 4250 sensor.

aroethli · ‎06-30-2006

Signature 3327-6 will detect this Metasploit module, however it is disabled by default.

Description:

Subsig 6 fires when a potential buffer overflow attempt against a Windows DCOM RPC service is detected. This may indicate a system compromise.

This is a 5.x only signature.

However, as noted in the benign triggers section for signature 3327-6:

False positives have been reported with this signature. To help identify malicious traffic it is recommended that you look for alerts from one of the 3328-* signatures from the same source.

So one should only enable this signature for a specific cause.

We are currently investigating improving the fidelity of 3327-6 or possibly creating new protection for this module.

If you have already enabled 3327-6 and this is not firing, please email me the pcap at ips-signature-team@cisco.com and we will take a look.

I hope that helps, and please let us know if this does not answer your question.

Thanks

Al

Cisco IDS/IPS Signature Development Team