Snort mailing list archives
RE: Test question
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 18 Dec 2001 10:37:01 -0700 (MST)
On Mon, 17 Dec 2001, Ronneil Camara wrote:
For me, I really appreciate seeing stuff in rules like content:"|ffff ff2f 4249 4e2f 5348 00|". How the hell did that guy come up with this rule!?! :-)
That's machine code from a particular exploit. I was likely pulled off the wire using a sniffer of some kind, or taken from the source code for the exploit. Many of the rules were done using a sniffer. Developing a rule like this is a tradeoff. The above rule is probably fairly specific, in that it will watch for a particular exploit, and tend to not have a lot of false positives. On the other hand, it's specific to that exploit, so that if someone else write a different exploit, this rule may not catch it, even though it's exploiting the same hole. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Test question, (continued)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)
- RE: Test question Ryan Russell (Dec 18)