Snort mailing list archives

RE: Re: [Snort-sigs] Possible improvements to pop3 rules.

From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>
Date: Wed, 4 May 2005 08:09:07 -0400

Here's the ultimate signature set to catch 0.000000000001 day
`sploits.....  

Alert tcp any any -> any any (msg:"0-day Exploit Rule for tcp";
classification:oh-sh*t; rev:1;)
Alert udp any any -> any any (msg:"0-day Exploit Rule for Udp";
classification:oh-sh*t; rev:1;)
Alert icmp any any -> any any (msg:"O-day exploit rule for ICMP";
classification:oh-sh*t; rev:1;)

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeff Kell
Sent: Wednesday, May 04, 2005 1:15 AM
To: Erik de Castro Lopo; snort-users () lists sourceforge net
Subject: [Snort-users] Re: [Snort-sigs] Possible improvements to pop3
rules.


Erik de Castro Lopo wrote:

So, two questions:

   0) Are rule optimisations like this valid?


YES YES YES!

   1) Are optimisations like this worthwhile?


YES YES YES!

And anybody out there who has a non-zero packet loss that tries to tell
you otherwise should be null-routed, dropped, rejected, and/or ignored!

It certainly isn't as "glamorous" or "cool" as trying to create the ever
elusive 0.0000001-day exploit signature, but it is certainly appreciated
by those of us without the time/energy/patience to re-create the wheel.

"We're really serious about reinventing everything that needs
reinventing." --Larry Wall

Faster is almost always better :-)

Jeff


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events,
4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Snort-sigs] Possible improvements to pop3 rules. Jeff Kell (May 03)
- <Possible follow-ups>
- RE: Re: [Snort-sigs] Possible improvements to pop3 rules. Esler, Joel - Contractor (May 04)