Snort mailing list archives
dns.rules... Snort Rule ID: 259 named overflow
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 16 Jul 2001 20:11:38 -0700
Quick questions to the snorting world about this rule... Explanation first... it contains a big ass long string the exploit uses as: "thisissometempspaceforthesockinaddrinyeahiknowthisislamebutanywayhorizongotitworkingsoalliscool" Which seems like a lot of needless searching that it makes snort go through and a mild waste of cpu when (content:"workingsoalliscool"; offset:xx) would seem to be more efficient and sufficient.... (And besides, the real reason that I'm complaining is that it looks damn ugly on my html tables in the rules editor... :-) But more importantly, this would seem to catch the precanned sploit kiddies but be vulnerable to evasion by any sentient with more than two brain cells to rub together.... Does anyone have a better sig for Horizon's sploit we could use? (Is Horizon on any of these lists to answer?) cheers, --dr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- dns.rules... Snort Rule ID: 259 named overflow Dragos Ruiu (Jul 16)
- Re: dns.rules... Snort Rule ID: 259 named overflow Brian Caswell (Jul 17)