Snort mailing list archives
RE: newbie question ....
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Tue, 10 Sep 2002 16:36:48 -0400
By looking at the packet captures and determining patterns. Patterns may be related the network service in use (i.e., Kerberos), or they may be related to the exploit itself. A common example would be [insert lame IIS exploit here], which usually involves sending packets that contain at least X number of characters, where X is a number just higher than that which the system can appropriately process.
-----Original Message----- From: Ryan Hairyes [mailto:rhairyes () lee k12 nc us] Sent: Tuesday, September 10, 2002 4:17 PM To: Erek Adams Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] newbie question .... Yes it does ... thanks ... that does clear it up a lot for me ... but I was still wondering how they got the >120 ... that isn't the infection size... is it? Thanks again. Quoting Erek Adams <erek () theadamsfamily net>: : On Tue, 10 Sep 2002, Ryan Hairyes wrote: : : > Im new to snort .... and I was wondering if someone maybe able to point : me : > in the right direction. My question is .... how do you determine the : > DSIZE when using the dsize option. I noticed with the virus.rules file : the : > klez alert that the dsize is set to >120. Thanks for the help. : : Sure. : : http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.8 : : "The dsize option is used to test the packet payload size. It may be set to : any value, plus use the greater than/less than signs to indicate ranges and : limits. For example, if you know that a certain service has a buffer of a : certain size, you can set this option to watch for attempted buffer : overflows. : It has the added advantage of being a much faster way to test for a buffer : overflow than a payload content check." : : Does that help? : : ----- : Erek Adams : Nifty-Type-Guy : TheAdamsFamily.Net : ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- newbie question .... Ryan Hairyes (Sep 10)
- Re: newbie question .... Erek Adams (Sep 10)
- Re: newbie question .... Ryan Hairyes (Sep 10)
- <Possible follow-ups>
- RE: newbie question .... McCammon, Keith (Sep 10)
- RE: newbie question .... McCammon, Keith (Sep 10)
- Re: newbie question .... Erek Adams (Sep 10)