Snort mailing list archives

Re: snort rule

From: rmkml <rmkml () free fr>
Date: Wed, 29 Aug 2007 11:22:39 +0200 (CEST)

Hi lokesh,
maybe good starting with this :
  alert udp any any -> any 67 (msg:"DHCP Service byte-code sequence exploit detected"; content:"|01 48 23 87 AB 1F FA 
2C 9A 00 00 00 00 21 FF FF|"; classtype:shellcode-detect; sid:999999; rev:1;)
Finding your byte-code sequence on dhcp request is easy (byte-code sequence is long and reduce FP), and finding invalid 
input HLen on dhcp request is very hard.
Best Regards
Rmkml


On Wed, 29 Aug 2007, lokesh sharma wrote:

Date: Wed, 29 Aug 2007 18:42:55 +1000 (EST)
From: lokesh sharma <lokeshpunjabi_1984 () yahoo com au>
To: Snort-users () lists sourceforge net
Subject: [Snort-users] snort rule

can you help me
 to write rules regarding DHCP
 The rule is
 "detect all attempts to exploit this vulnerability. In particular, it should detect attempts by any computer making 
DHCP requests where hte Hlen
 field has an invalid value, and where the following byte-code sequence is found anywhere in the Sname or File fields.
 The byte-code sequence should not be matched in any other field of the request. The byte-code sequence (in 
hexadecimal) is:
 01 48 23 87 AB 1F FA 2C 9A 00 00 00 00 21 FF FF
  on detecction of such attack attempts, your rule should generate an alert with the message:
 "DHCP Service invalid input HLen attack detected".

 thanx

---------------------------------
Get the World's number 1 free email service. Find out more.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort rule lokesh sharma (Aug 29)
- Re: snort rule rmkml (Aug 29)
- Re: snort rule Joel Esler (Aug 29)
  - Re: snort rule Paul Schmehl (Aug 29)
    - Re: snort rule Joel Esler (Aug 29)
    - Re: snort rule Milo Velimirovic (Aug 29)
- Re: snort rule Nigel Houghton (Aug 29)
  - Re: snort rule pearl carlo (Aug 30)
- <Possible follow-ups>
- Re: snort rule M. Shirk (Aug 29)