Snort mailing list archives
Re: snort
From: Phil Wood <cpw () lanl gov>
Date: Wed, 30 Jul 2003 11:58:06 -0600
http://securityfocus.com/archive/1/330574/2003-07-20/2003-07-26/0 On Wed, Jul 30, 2003 at 10:25:15AM -0600, asclark wrote:
Hey thanks for the improved rule. I've tested it with my IDS using both scanners and actual exploit code and it doesn't detect anything, even after attacking the IDS machines directly. It's possible it is simply not compatible with the IDS that I run (snort based so it should be), but hopefully others can test/use it. It looks right to me though. It's pretty much the same as what I was working on except for the content strings to match on. Did you get it off a site or did you write it? If you wrote it yourself I'd be very interested to know how you got the content data. I tried sniffing packets and performing the attack but I couldn't get any consistant data that I could use for detection with either tcpdump or ethereal. Otherwise could you point me to the site you got it from ? THanks A. ?????????????????????????????????? ? Anthony S. Clark ? ? asclark () lanl gov ? ? Los Alamos National Laboratory ? ? 0 1 1 3 5 8 13 21 34 55 89 144 ? ?????????????????????????????????? On Tue, 29 Jul 2003, Susan Coulter wrote:alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DCE RPC Interface Buffer Overflow Exploit"; content:"|00 5C 00 5C|"; content:!"|5C|"; within:32; flow:to_server,established; reference:Bugtraq,8205; rev: 1; ) On Tuesday 29 July 2003 14:51, asclark wrote:This is kind of a kludge, but this is what i'm using right now. I just made the SID up, but I have tested this with actual exploit code and the IDS picks it up. alert tcp $EXTERNAL_NET any <> $HOME_NET 135 (msg:"BAD TRAFFIC tcp port 135 traffic"; classtype:misc-activity; sid:52402020202; rev:6;) A ?????????????????????????????????? ? Anthony S. Clark ? ? asclark () lanl gov ? ? Los Alamos National Laboratory ? ? 0 1 1 3 5 8 13 21 34 55 89 144 ? ??????????????????????????????????
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users