nerdexam
EC-Council

312-50V13 · Question #116

Study the snort rule given below: From the options below, choose the exploit against which this rule applies.

The correct answer is C. MS Blaster. The Snort rule provided is designed to detect the MS Blaster worm, which exploited a buffer overflow vulnerability in the DCOM RPC interface of Windows systems.

Submitted by marco_it· Mar 6, 2026Malware Threats

Question

Study the snort rule given below: From the options below, choose the exploit against which this rule applies.

Exhibit

312-50V13 question #116 exhibit

Options

  • AWebDav
  • BSQL Slammer
  • CMS Blaster
  • DMyDoom

How the community answered

(33 responses)
  • A
    6% (2)
  • B
    15% (5)
  • C
    70% (23)
  • D
    9% (3)

Why each option

The Snort rule provided is designed to detect the MS Blaster worm, which exploited a buffer overflow vulnerability in the DCOM RPC interface of Windows systems.

AWebDav

WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to HTTP and is not directly related to the MS Blaster exploit.

BSQL Slammer

SQL Slammer exploited a buffer overflow in Microsoft SQL Server's UDP port 1434, making it distinct from MS Blaster which targeted DCOM RPC on TCP port 135.

CMS BlasterCorrect

The MS Blaster worm, also known as W32.Blaster, exploited a buffer overflow vulnerability (MS03-026) in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, typically targeting TCP port 135. A Snort rule designed for Blaster would look for specific patterns or shellcode associated with this exploit in traffic destined for port 135.

DMyDoom

MyDoom is a mail-based worm that exploited social engineering and email attachments, not the DCOM RPC vulnerability targeted by MS Blaster.

Concept tested: MS Blaster worm detection

Source: https://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-systems-ids-ips/58249-msblaster.html

Topics

#Snort rule#MS Blaster#worm detection#IDS

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice