Windows RPC DCOM Overflow sub id 8

Unanswered Question
Jan 20th, 2009


lately i've been hammered badly by this signature. the funny thing is the destination ports are highports ,etc 1025,5000,etc (non netbios) . i noticed this signature has been firing frequently since ms08-067. anyone having the same experience ? is this a true positive?

thanks in advnce

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rupadras Mon, 01/26/2009 - 14:21

If you are referring to sig 3327 subsig 8, it doesn't have any event-action associated with it by default. By any chance, have you tuned the sig or added an Event Action Override that might be applied to it?

yuliang13 Mon, 02/02/2009 - 18:06


yes, i'm referring to 3327. I do not think we have tuned it as we have hundreds of IPS deployed.Do you mind if i send you the payload to have a look?

yuliang13 Sun, 02/15/2009 - 22:53

if there are no event-action associated to it, does this means the signature is actually not important ?

mzeiser Tue, 03/03/2009 - 03:14

Signature 3327-8 is a meta component and thus only part of a signature. It does not have any event actions by default as the main signature is the one that'll produce an alert once the required components have been triggered by an attack.

A component going off may not be of significance, which is why they are set not not produce alert by default. If you've changed this setting, and are now annoyed by the alerts, I suggest turning it back to default.

Martin Zeiser

IPS Signature Team

yuliang13 Tue, 03/03/2009 - 03:32

Hi martin,

thanks for the reply. I've tried RPC DCOM exploit over this signature. only the subsig 8 was triggered upon the exploit attempt. Do you think this signature is important ?

mzeiser Tue, 03/03/2009 - 04:04

This signature is relevant to cve-2003-0352, which is the vulnerability the Blaster worm abused. I'm sure there's still a bunch of old machines out there infected by this worm and scanning the Internet for victims.

yuliang13 Tue, 03/03/2009 - 07:46


yes it's related to that. i'm using the exploit for that vulnerability and it triggered signature 8 only. i think this means sub id 8 should be quite important right?


This Discussion