312-50V13 · Question #116
Study the snort rule given below: From the options below, choose the exploit against which this rule applies.
The correct answer is C. MS Blaster. The Snort rule provided is designed to detect the MS Blaster worm, which exploited a buffer overflow vulnerability in the DCOM RPC interface of Windows systems.
Question
Exhibit
Options
- AWebDav
- BSQL Slammer
- CMS Blaster
- DMyDoom
How the community answered
(33 responses)- A6% (2)
- B15% (5)
- C70% (23)
- D9% (3)
Why each option
The Snort rule provided is designed to detect the MS Blaster worm, which exploited a buffer overflow vulnerability in the DCOM RPC interface of Windows systems.
WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to HTTP and is not directly related to the MS Blaster exploit.
SQL Slammer exploited a buffer overflow in Microsoft SQL Server's UDP port 1434, making it distinct from MS Blaster which targeted DCOM RPC on TCP port 135.
The MS Blaster worm, also known as W32.Blaster, exploited a buffer overflow vulnerability (MS03-026) in the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, typically targeting TCP port 135. A Snort rule designed for Blaster would look for specific patterns or shellcode associated with this exploit in traffic destined for port 135.
MyDoom is a mail-based worm that exploited social engineering and email attachments, not the DCOM RPC vulnerability targeted by MS Blaster.
Concept tested: MS Blaster worm detection
Source: https://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-systems-ids-ips/58249-msblaster.html
Topics
Community Discussion
No community discussion yet for this question.
