[Dshield] RE: Moving infocon to 'half yellow'
pauls at utdallas.edu
Sat Aug 2 01:13:35 GMT 2003
They were released two days ago. Just update to the latest rules, or at
least the latest NETBIOS rules and you'll have them. The sids are 2190,
2191, 2192 and 2193.
--On Friday, August 01, 2003 19:47:11 -0400 DLackey at pittohio.com wrote:
> Does anyone have snort signatures for this. Any help is appreciated.
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at sans.org]
> Sent: Friday, August 01, 2003 5:32 PM
> To: intrusions at sans.org; list at dshield.org
> Subject: Moving infocon to 'half yellow'
> Ok. We realy couldn't make up our mind ;-). The RPC DCOM issue is serious.
> We are seeing it exploited, and work on refining the exploit is in
> progress. While the exploit is not in such heavy use as to cause any wide
> spread outages at this time, we did set the 'Infocon' up a notch to
> indicate that this is your
> VERY LAST CHANCE TO PATCH.
> I can't stress enough, that a patch is probably the only safe thing you
> can do at this point. Depending on your configuration, there are a number
> of ports that can be used to exploit this vulnerability. The exploits in
> circulation at this point are for the most part silent if successful.
> Do not rely on firewalls. There are numerous ways to exploit this issue.
> Firewalls will help, but should not be used in lieu of patches. A virus
> scanner will most likely not detect the exploit.
> SANS - Internet Storm Center
> PGP Key: http://isc.sans.org/jullrich.txt
> __________ This message is for the designated recipient(s) only and may
> contain privileged, proprietary or otherwise private information. If
> you have received this message in error, please notify the sender
> immediately and delete the original. Any other use of this email is
> prohibited. Email is for business use only.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the list