ARAKIS

Szczególy klastra: [WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)

Nazwa:	[WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)
Data:	2007-05-29 17:39:03
Poziom klasyfikacji:	Attack
Rdzeń:	[WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEOW", CVE-2003-0352, MS03-026)
Porty:	135/TCP
Unikalnych źródeł:	1370
Rozmiar sygnatury:	898
Sygnatura klastra:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"[WORM] MS RPC DCOM Blaster (135/TCP, "MARB", "MEO\ W", CVE-2003-0352, MS03-026)"; flow:to_server,established; content:"\|05 00 00 03 10 00 00 00\|"; cont\ ent:"\|00 00 e5 00 00 00\|"; content:"\|01 00 04 00 05 00 06 00 01 00 00 00 00 00 00 00\|2$X\|fd cc\|EdI\|b\ 0\|p\|dd ae\|t,\|96 d2\|`^\|0d 00 01 00 00 00 00 00 00 00\|p^\|0d 00 02 00 00 00 7c\|^\|0d 00 00 00 00 00 10 0\ 0 00 00 80 96 f1 f1\|*M\|ce 11 a6\|j\|00\| \|af\|nr\|f4 0c 00 00 00\|MARB\|01 00 00 00 00 00 00 00 0d f0 ad ba\ 00 00 00 00 a8 f4 0b 00\|"; content:"EOW\|04 00 00 00 a2 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F8\ \|03 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|00 00 00 00\|"; content:"\|00 00 01 10 08 00 cc cc cc cc \ c8 00 00 00\|MEOW"; content:"\|00 00 d8 00 00\|"; content:"\|00 00 00 00 00 02 00 00 00 07 00 00 00 00 0\ 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4\|(\|cd 00\|d)\|cd 00 00 00 00 00 07 00 00 00 b9 01 00 00 \ 00 00 00 00 c0 00 00 00 00 00 00\|F\|ab 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|a5 01 00 00 00 00 \ 00 00 c0 00 00 00 00 00 00\|F\|a6 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|a4 01 00 00 00 00 00 00 \ c0 00 00 00 00 00 00\|F\|ad 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\|aa 01 00 00 00 00 00 00 c0 00 \ 00 00 00 00 00\|F\|07 00 00 00\|`\|00 00 00\|X\|00 00 00 90 00 00 00\|@\|00 00 00\| \|00 00 00\|"; content:"\|00\ 00\|0\|00 00 00\|"; content:"\|01 00 00 00 01 10 08 00 cc cc cc cc\|P\|00 00 00\|O\|b6 88\| \|ff ff ff ff 00 \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0\ 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\ 00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc\|H\|00 00 00 07 00\|f\|00 06 09 02 00 00 00 00 00 c0 00\ 00 00 00 00 00\|F\|10 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00\|x\|19 0c 00\|X\|00 00 00 \ 05 00 06 00 01 00 00 00\|p\|d8 98 93 98\|O\|d2 11 a9\|=\|be\|W\|b2 00 00 00\|2\|00\|1\|00 01 10 08 00 cc cc cc c\ c 80 00 00 00 0d f0 ad ba 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18\|C\|14 00 00 00 00 00\|`\|0\ 0 00 00\|`\|00 00 00\|MEOW\|04 00 00 00 c0 01 00 00 00 00 00 00 c0 00 00 00 00 00 00\|F\;\|03 00 00 00 00 \ 00 00 c0 00 00 00 00 00 00\|F\|00 00 00 00\|0\|00 00 00 01 00 01 00 81 c5 17 03 80 0e e9\|J\|99 99 f1 8a\|P\ oz\|85 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 10 08 0\ 0 cc cc cc cc\|0\|00 00 00\|x\|00\|n\|00 00 00 00 00 d8 da 0d 00 00 00 00 00 00 00 00 00\| /\|0c 00 00 00 00\ 00 00 00 00 00 03 00 00 00 00 00 00 00 03 00 00 00\|F\|00\|X\|00 00 00 00 00 01 10 08 00 cc cc cc cc 10\ 00 00 00\|0\|00\|.\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc\|h\|00 00 \ 00 0e 00 ff ff\|h\|8b 0b 00 02 00 00 00 00 00 00 00 00 00 00 00\|"; content:"\|01 00 00 00 00 00 00\|"; c\ ontent:"\|01 00 00\|\\\|00\|\\\|00\|"; content:"F\|00\|X\|00\|N\|00\|B\|00\|F\|00\|X\|00\|F\|00\|X\|00\|N\|00\|B\|00\|F\|00\|X\|0\ 0\|F\|00\|X\|00\|F\|00\|X\|00\|F\|00\|X\|00\|";)

Publiczne strony ARAKISa zawierają jedynie zbiorcze statystyki dotyczące klastra. Każdy klaster posiada nazwę, poziom klasyfikacji, listę portów których dotyczy, liczbę unikalnych źródłowych IP wysyłających dane o podobnej charakterystyce, wielkość końcowej sygnatury i końcową „super” sygnaturę klastra wyrażoną w postaci regułki snort. Sygnatura ta jest wspólna dla wszystkich przepływów tworzących klaster i jest potencjalnie sygnaturą nowego zagrożenia np. exploita lub robaka.