Snort mailing list archives
Re: dns.rules... Snort Rule ID: 259 named overflow
From: Brian Caswell <bmc () mitre org>
Date: Tue, 17 Jul 2001 08:32:37 -0400
Dragos Ruiu wrote:
Quick questions to the snorting world about this rule... Explanation first... it contains a big ass long string the exploit uses as: "thisissometempspaceforthesockinaddrinyeahiknowthisislamebutanywayhorizongotitworkingsoalliscool" Which seems like a lot of needless searching that it makes snort go through and a mild waste of cpu when (content:"workingsoalliscool"; offset:xx) would seem to be more efficient and sufficient.... (And besides, the real reason that I'm complaining is that it looks damn ugly on my html tables in the rules editor... :-) But more importantly, this would seem to catch the precanned sploit kiddies but be vulnerable to evasion by any sentient with more than two brain cells to rub together.... Does anyone have a better sig for Horizon's sploit we could use? (Is Horizon on any of these lists to answer?)
Correct me if I am wrong, but I thought other rules caught this exploit. I don't like signatures like this signature (or any of the "ADMROCKS" signatures for that matter) because they look for specific filler text. Usually there is something better that you can look for. The only benifit to these style signatures is that you can find what actual exploit was used much easier. Our network attack lab is currently in shambles. Once it is in a usable state, I'll look at building a signature that doesn't look for the filler. -brian -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- dns.rules... Snort Rule ID: 259 named overflow Dragos Ruiu (Jul 16)
- Re: dns.rules... Snort Rule ID: 259 named overflow Brian Caswell (Jul 17)