Rule:--Sid:8451--Summary:This event is generated when an attempt is made to exploit a known vulnerability in Microsoft systems using Server Message Block (SMB). In particular this rule generates an event when an attempt is made to exploit the rename function.--Impact:Serious. Execution of arbitrary code leading to unauthorized administrative access to the target host. Denial of Service (DoS) is also possible.--Detailed Information:SMB is a client - server protocol used in sharing resources such as files, printers, ports, named pipes and other things, between machines on a network.A vulnerability in the Microsoft implementation of SMB exists due to a programming error which may present an attacker with the opportunity to exploit the service and run code of their choosing on an affected system. The attacker may also cause a DoS condition in the service or possibly gain unauthorized access to the target host.In particular this rule generates an event when an attempt is made to exploit the rename function.--Affected Systems:Microsoft Windows 2000 SP4Microsoft Windows XP SP1 and SP2Microsoft Windows XP Pro x64Microsoft Windows 2003 Server--Attack Scenarios:An attacker can supply extra data in the message from the server containing code of their choosing to be run on the client.--Ease of Attack:Simple.--False Positives:None known.--False Negatives:None known.--Corrective Action:Apply the appropriate vendor supplied patches.Turn off windows file and print services.Use Samba as an alternative file and print service.--Contributors:Sourcefire Vulnerability Research TeamBrian Caswell <bmc@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>--Additional References:--