Re: The Hydrogen hundred dollar challenge

[Dave Aitel <dave () immunitysec com>]

Brian wrote:

> On Mon, Apr 11, 2005 at 11:49:15PM -0400, Dave Aitel wrote:
>  
>
> >  Anyways, I will give $100 dollars to the first person
> > who posts a snort or nfr  signature that can detect my private
> > (slightly modded) version of Hydrogen. (i.e. make it reasonably
> > generic, and let's not have it false-positive every time I browse
> > the web). The idea here is to show that everything doesn't have to
> > be spoon-fed to you Gerber-style.
> >    
>
> Does my 30 second grep of your code get me a beer?
>
> On a valid tcp session:
>
> if (first packet from client 4 bytes in length, store that as A)
> and if (next packet from client, A bytes in length)
> and if (first packet form server, 4 bytes in length, store that as B)
> and if (next packet from server, B bytes in length)
>
>    Say "Hi dave!"
>
> Brian
>  
If you can cut that into a snort sig that I can test then I'd certainly 
pony up one 100 dollar beer :>. There might be a lot of protocols that 
do this sort of thing - like BO2K, H doesn't hvae a default port. Also, 
TCP isn't packet based...so I'd want to test to make sure Hydrogen 
really does send packets that big all at once. I usually assume a 512 
MTU, since that's what I use when I'm hacking. :>

-0dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave