Re: Microsoft's Remote Procedure Call Vulnerability

akah0mer · ‎07-18-2003

Is the Microsoft's Remote Procedure Call (RPC) reference in the current signature database?

If not, is there a custom string that can be put in place.

dingevaldson · ‎07-23-2003

No not yet. ISS RealSecure Network and Proventia provided protection about a week ago.

atramos · ‎07-28-2003

A number of exploits for this vulnerability are now available in the wild. Has Cisco released any custom signatures for detection yet?

klwiley · ‎07-30-2003

A signature for this vulnerability has been released in S49. You can retrieve it from:

http://www.cisco.com/cgi-bin/tablebuild.pl/ids3-app

pbobby · ‎07-31-2003

Yeah and I get false positives up the wazoo.

I'm sorry but unless you release the details of how your signature works, I turn them off and correlate home-made, my proventias and snort.

Visibility in to your signatures provides better tuning than relying on your blackbox approach.

scothrel · ‎07-31-2003

Which signature is giving false positives? and on which port?

SC

klwiley · ‎07-31-2003

If you are runnning 4.X then you have full access to the details of the signature. All you have to do is open the signature up in IDM as if you were going to edit it and the complete signature details are there for your perusal.

If you are having an issue with a signature that is false positiving, then please bring it to our attention so that we can get to the root cause of the problem. We are constantly trying to improve the fidelity of our signatures, however or visibility is only as good as the feedback that we are receiving.

Please contact me directly at klwiley@cisco.com and I will try to help you with your problems.