Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit

[Martin Roesch <roesch () sourcefire com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, March 11, 2003, at 12:32  AM, Loki wrote:

> One thing to mention, the exploit wouldn't have triggered any of the
> "official" snort rules in my post as I disabled all rules except for my
> own custom rules file: fatelabs.rules.

Sid numbering:

0-100: Reserved for Marty
101-1000000: Snort.org "official" rules
1000001-2^32: Userland.

> Your confusion as to why the official snort rules using depth and mine
> which do not, both causing it to trigger really has nothing to do with
> depth. Specifying depth tells Snort not to look past 'n' bytes within
> the packet (a way of increasing the speed of Snort processing packets.

There's a big difference between using the depth/offset options 
properly and incorrectly.  When used properly (which usually requires 
an intimate knowledge of the protocol you're analyzing) it works very 
well, people who are inexperienced with Snort and network protocol 
analysis should think twice about using these options.

    -Marty

- -- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+cWKLqj0FAQQ3KOARAqQTAJ9fDUgq8j+T5w/lxE1HCeNxp5xHmwCfXFNf
3GbNE3YsqnyW+aVxOUnrXr4=
=mKXU
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>