312-50V11 · Question #662
Study the snort rule given below: From the options below, choose the exploit against which this rule applies.
The correct answer is C. MS Blaster. The Snort rule targets MS Blaster, a worm that exploited a buffer overflow in the Windows DCOM RPC service on TCP port 135.
Question
Study the snort rule given below:
From the options below, choose the exploit against which this rule applies.
Exhibit
Options
- AWebDav
- BSQL Slammer
- CMS Blaster
- DMyDoom
How the community answered
(45 responses)- A4% (2)
- B16% (7)
- C73% (33)
- D7% (3)
Why each option
The Snort rule targets MS Blaster, a worm that exploited a buffer overflow in the Windows DCOM RPC service on TCP port 135.
WebDAV exploits target HTTP/HTTPS ports (80/443) using crafted HTTP SEARCH or PROPFIND requests, not the RPC-based traffic patterns this Snort rule inspects.
SQL Slammer targeted UDP port 1434 (SQL Server Resolution Service) with a compact 376-byte payload, not TCP port 135 RPC traffic.
MS Blaster (W32.Blaster.Worm) exploited CVE-2003-0352, a buffer overflow vulnerability in the Windows DCOM RPC interface listening on TCP port 135. Snort rules for this worm match specific shellcode byte sequences and malformed RPC request sizes characteristic of the exploit. The rule signatures correspond directly to the packet patterns Blaster used to propagate across unpatched Windows XP and 2000 systems.
MyDoom spread via email attachments and opened a backdoor on TCP port 3127/3128, bearing no relation to DCOM RPC exploitation.
Concept tested: Snort rule analysis and worm exploit identification
Source: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026
Topics
Community Discussion
No community discussion yet for this question.
