The Snort rule in the image is detecting suspicious bind attempts over DCERPC (Distributed Computing Environment/Remote Procedure Call), specifically targeting ports 135 (RPC) and 445 (SMB) with crafted content. The rule references CVE CAN-2003-0352.
CVE-2003-0352 is associated with the DCOM RPC vulnerability in Microsoft Windows that was exploited by the MS Blaster (also known as Lovsan) worm in 2003.
Key Indicators from the Snort Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135
content includes DCERPC binding pattern (|05| and |0b| with specific binary patterns)
Reference to CVE-2003-0352
Class type: attempted-admin
The MS Blaster worm exploited this vulnerability by sending a specially crafted RPC request to port 135, allowing remote code execution.
From CEH v13 Courseware:
Module 6: Malware Threats
Module 11: Session Hijacking
Discussion of historic worms and their exploit signatures, including MS Blaster.
Incorrect Options:
A. WebDav: Typically uses HTTP/HTTPS and was exploited by Nimda.
B. SQL Slammer: Targeted UDP port 1434 (SQL Server), not TCP 135/445.
D. MyDoom: Spread via email and exploited Windows file-sharing mechanisms (port 3127), not DCERPC.
[Reference:CEH v13 Study Guide – Module 6: Malware Threats → Classic Worm AttacksCVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0352Microsoft Security Bulletin MS03-026 – RPC Vulnerability, , , , , ]
Submit