ARAKIS

Szczególy klastra: [WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)

Nazwa:	[WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)
Data:	2007-07-30 15:39:25
Poziom klasyfikacji:	Attack
Rdzeń:	[WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)
Porty:	135/TCP
Unikalnych źródeł:	673
Rozmiar sygnatury:	1125
Sygnatura klastra:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"[WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEO\ W", CVE-2003-0352, MS03-026)"; flow:to_server,established; content:"\|01 00 04 00 05 00 06 00 01 00 \ 00 00 00 00 00 00\|2$X\|fd cc\|EdI\|b0\|p\|dd ae\|t,\|96 d2\|`^\|0d 00 01 00 00 00 00 00 00 00\|p^\|0d 00 02 00 \ 00 00 7c\|^\|0d 00 00 00 00 00 10 00 00 00 80 96 f1 f1\|*M\|ce 11 a6\|j\|00\| \|af\|nr\|f4 0c 00 00 00\|MARB\|01\ 00 00 00 00 00 00 00 0d f0 ad ba 00 00 00 00 a8 f4 0b 00\| \|05 00 00\| \|05 00 00\|MEOW\|04 00 00 00 a2 \ 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F8\|03 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|00 00 00 00\ f0 04 00 00 e8 04 00 00 00 00 00 00 01 10 08 00 cc cc cc cc c8 00 00 00\|MEOW\|e8 04 00 00 d8 00 00 0\ 0 00 00 00 00 02 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4\|(\|cd 00\|d)\|\ cd 00 00 00 00 00 07 00 00 00 b9 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|ab 01 00 00 00 00 00 00\ c0 00 00 00 00 00 00\|F\|a5 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|a6 01 00 00 00 00 00 00 c0 00\ 00 00 00 00 00\|F\|a4 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|ad 01 00 00 00 00 00 00 c0 00 00 00\ 00 00 00\|F\|aa 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|07 00 00 00\|`\|00 00 00\|X\|00 00 00 90 00 0\ 0 00\|@\|00 00 00\| \|00 00 00\|8\|02 00 00\|0\|00 00 00 01 00 00 00 01 10 08 00 cc cc cc cc\|P\|00 00 00\|O\|b6\ 88\| \|ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0\ 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc\|H\|00 00 00 07 00\|f\|00 06 09 02\ 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|10 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00\|x\ \|19 0c 00\|X\|00 00 00 05 00 06 00 01 00 00 00\|p\|d8 98 93 98\|O\|d2 11 a9\|=\|be\|W\|b2 00 00 00\|2\|00\|1\|00 0\ 1 10 08 00 cc cc cc cc 80 00 00 00 0d f0 ad ba 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18\|C\|\ 14 00 00 00 00 00\|`\|00 00 00\|`\|00 00 00\|MEOW\|04 00 00 00 c0 01 00 00 00 00 00 00 c0 00 00 00 00 00 0\ 0\|F\;\|03 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|00 00 00 00\|0\|00 00 00 01 00 01 00 81 c5 17 03 80 \ 0e e9\|J\|99 99 f1 8a\|Poz\|85 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0\ 1 00 00 00 01 10 08 00 cc cc cc cc\|0\|00 00 00\|x\|00\|n\|00 00 00 00 00 d8 da 0d 00 00 00 00 00 00 00 00\ 00\| /\|0c 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 03 00 00 00\|F\|00\|X\|00 00 00 00 00 01 10\ 08 00 cc cc cc cc 10 00 00 00\|0\|00\|.\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 08 00\ cc cc cc cc\|h\|00 00 00 0e 00 ff ff\|h\|8b 0b 00 02 00 00 00 00 00 00 00 00 00 00 00 06 01 00 00 00 00\ 00 00 06 01 00 00\|\\\|00\|\\\|00\|F\|00\|X\|00\|N\|00\|B\|00\|F\|00\|X\|00\|F\|00\|X\|00\|N\|00\|B\|00\|F\|00\|X\|00\|F\|00\|X\|00\ \|F\|00\|X\|00\|F\|00\|X\|00\|"; content:"\|00 cc e0 fd 7f cc e0 fd 7f 90 90 90 90 90 90 90 90 90\|"; content:"\ \|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 \ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9\ 0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90\ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 \ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90\|"; content:"\|eb 02 eb 05 e8 \ f9 ff ff ff\|[1\|c9 b1\|"; content:"\|80\|s\|0c 13\|C"; content:"w\|10\|S#k\|1f 98\|S\|1f\|"; content:"\|98\|S\|1b f\ 8 1a 98\|S'\|9e\|So\|98\|S/\|98 c3\|";)

Publiczne strony ARAKISa zawierają jedynie zbiorcze statystyki dotyczące klastra. Każdy klaster posiada nazwę, poziom klasyfikacji, listę portów których dotyczy, liczbę unikalnych źródłowych IP wysyłających dane o podobnej charakterystyce, wielkość końcowej sygnatury i końcową „super” sygnaturę klastra wyrażoną w postaci regułki snort. Sygnatura ta jest wspólna dla wszystkich przepływów tworzących klaster i jest potencjalnie sygnaturą nowego zagrożenia np. exploita lub robaka.