Snort mailing list archives

Previous By Date Next
Previous By Thread Next

dns.rules... Snort Rule ID: 259 named overflow

From: Dragos Ruiu <dr () kyx net>
Date: Mon, 16 Jul 2001 20:11:38 -0700

Quick questions to the snorting world about this rule...
Explanation first... it contains a big ass long string the 
exploit uses as:

"thisissometempspaceforthesockinaddrinyeahiknowthisislamebutanywayhorizongotitworkingsoalliscool"

Which seems like a lot of needless searching that it makes snort go through
and a mild waste of cpu when (content:"workingsoalliscool"; offset:xx) would
seem to be more efficient and sufficient.... (And besides, the real reason that
I'm complaining is that it looks damn ugly on my html tables in the rules
editor... :-)

But more importantly, this would seem to catch the precanned sploit kiddies but 
be vulnerable to evasion by any sentient with more than two brain cells to rub
together....

Does anyone have a better sig for Horizon's sploit we could use?
(Is Horizon on any of these lists to answer?)

cheers,
--dr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: