Re: The Hydrogen hundred dollar challenge

[Brian <bmc () snort org>]

On Mon, Apr 11, 2005 at 11:49:15PM -0400, Dave Aitel wrote:
> I was reading a weblog the other day, where a person complained
> because Hydrogen
> (http://www.immunitysec.com/products-hydrogen.shtml) was too hard to
> write a Snort signature for. I guess my position is that if your
> network can be owned by less than 100K of code which I wrote in my
> spare time five years ago, then it's time to upgrade to a system
> that can't.  Anyways, I will give $100 dollars to the first person
> who posts a snort or nfr  signature that can detect my private
> (slightly modded) version of Hydrogen. (i.e. make it reasonably
> generic, and let's not have it false-positive every time I browse
> the web). The idea here is to show that everything doesn't have to
> be spoon-fed to you Gerber-style.

Does my 30 second grep of your code get me a beer?

On a valid tcp session:

if (first packet from client 4 bytes in length, store that as A)
and if (next packet from client, A bytes in length)
and if (first packet form server, 4 bytes in length, store that as B)
and if (next packet from server, B bytes in length)

    Say "Hi dave!"

Brian
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave