Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RPC + snort

From: Jill Tovey <jill.tovey () bigbluedoor com>
Date: 02 May 2003 15:49:53 +0100
Hi All,

I am looking at an RPC attack generated by the sidestep tool.  The
attack works by using null-byte encoding to attempt to evade snort.
However, this tool is quite old and snort has since been updated and can
detect this attack - I am just wondering if anyone can explain how
exactly snort can detect this?

I am guessing it might be something to do with the rpc-decode rule,
however, someone with more knowledge on the subject than I has suggested
that it is because snort has a signature for target machine RPC replies
- can anyone explain it?







-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: