lsignature rpc-dcom_servername-overflow
l{
l header ip[9:1] == 6
l header tcp[2:2] ==
135
l tcp-state
originator, established
l requires-signature rpc-dcom_bind-req
l payload /.*\x05\x00\x00.{100,}\x5c\x00\x5c\x00[^\\]{32,}/
l event "RPC DCOM
servername stack overflow attempt"
l eval “RPC_DCOM.dll”
l}