Snort mailing list archives
RPC + snort
From: Jill Tovey <jill.tovey () bigbluedoor com>
Date: 02 May 2003 15:49:53 +0100
Hi All, I am looking at an RPC attack generated by the sidestep tool. The attack works by using null-byte encoding to attempt to evade snort. However, this tool is quite old and snort has since been updated and can detect this attack - I am just wondering if anyone can explain how exactly snort can detect this? I am guessing it might be something to do with the rpc-decode rule, however, someone with more knowledge on the subject than I has suggested that it is because snort has a signature for target machine RPC replies - can anyone explain it? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RPC + snort Jill Tovey (May 02)