312-50V10 · Question #662
Study the snort rule given below: From the options below, choose the exploit against which this rule applies.
The correct answer is C. MS Blaster. The Snort rule targets MS Blaster, which exploited the DCOM RPC vulnerability on TCP port 135 with a distinctive payload signature.
Question
Study the snort rule given below:
From the options below, choose the exploit against which this rule applies.
Exhibit
Options
- AWebDav
- BSQL Slammer
- CMS Blaster
- DMyDoom
How the community answered
(43 responses)- A7% (3)
- B14% (6)
- C77% (33)
- D2% (1)
Why each option
The Snort rule targets MS Blaster, which exploited the DCOM RPC vulnerability on TCP port 135 with a distinctive payload signature.
WebDAV exploits target HTTP-based file access on port 80 or 443 and use entirely different protocol signatures unrelated to RPC traffic.
SQL Slammer is a compact UDP worm targeting SQL Server on port 1434, producing a very small and distinct payload that does not match an RPC-focused Snort rule.
MS Blaster (W32.Blaster.Worm) exploited the DCOM RPC vulnerability described in MS03-026, sending crafted packets to TCP port 135 with a specific byte pattern that Snort rules for this worm detect. The worm's shellcode and overflow payload produce a unique network signature that distinguishes it from other exploits targeting different services and ports.
MyDoom spreads via SMTP and peer-to-peer file sharing mechanisms, not via RPC port 135 traffic patterns.
Concept tested: Snort rule identification for Windows RPC exploits
Source: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026
Topics
Community Discussion
No community discussion yet for this question.
