RE: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

["Smith, Donald" <Donald.Smith () qwest com>]

The content is very easy to change:-)
Its just a for loop incrementing by 1.


> Also, a number of people have posted sigs that are not only matching
> based on IP protocol number, but also on content.  Obviously this will
> only catch the *tool* being used, and not the *exploit* which is far

        _Excellent_ point.  It might even make sense to use both sets of

rules; the content-specific rules to identify that the original tool is 
being used, and the more generic protocol-only rules afterwards to show 
that someone's trying to exploit those protocols, but they're using a 
different tool.
        Cheers,
        - Bill

------------------------------------------------------------------------
---
        "Cogito ergo sum...cogito."
(Courtesy of Bob Hillery <rhillery () tec nh us>)
------------------------------------------------------------------------
--
William Stearns (wstearns () pobox com).  Mason, Buildkernel, freedups,
p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:
http://www.stearns.org
Linux articles at:
http://www.opensourcedigest.com
------------------------------------------------------------------------
--


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users