nerdexam
EC-Council

312-50V10 · Question #662

Study the snort rule given below: From the options below, choose the exploit against which this rule applies.

The correct answer is C. MS Blaster. The Snort rule targets MS Blaster, which exploited the DCOM RPC vulnerability on TCP port 135 with a distinctive payload signature.

Evading IDS, Firewalls, and Honeypots

Question

Study the snort rule given below:

From the options below, choose the exploit against which this rule applies.

Exhibit

312-50V10 question #662 exhibit

Options

  • AWebDav
  • BSQL Slammer
  • CMS Blaster
  • DMyDoom

How the community answered

(43 responses)
  • A
    7% (3)
  • B
    14% (6)
  • C
    77% (33)
  • D
    2% (1)

Why each option

The Snort rule targets MS Blaster, which exploited the DCOM RPC vulnerability on TCP port 135 with a distinctive payload signature.

AWebDav

WebDAV exploits target HTTP-based file access on port 80 or 443 and use entirely different protocol signatures unrelated to RPC traffic.

BSQL Slammer

SQL Slammer is a compact UDP worm targeting SQL Server on port 1434, producing a very small and distinct payload that does not match an RPC-focused Snort rule.

CMS BlasterCorrect

MS Blaster (W32.Blaster.Worm) exploited the DCOM RPC vulnerability described in MS03-026, sending crafted packets to TCP port 135 with a specific byte pattern that Snort rules for this worm detect. The worm's shellcode and overflow payload produce a unique network signature that distinguishes it from other exploits targeting different services and ports.

DMyDoom

MyDoom spreads via SMTP and peer-to-peer file sharing mechanisms, not via RPC port 135 traffic patterns.

Concept tested: Snort rule identification for Windows RPC exploits

Source: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026

Topics

#Snort rules#IDS signatures#MS Blaster#network worm

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice