Re: snort rule

[Nigel Houghton <nigel () sourcefire com>]

On 8/29/07 4:42 AM, "lokesh sharma" <lokeshpunjabi_1984 () yahoo com au> wrote:

> can you help me
>
> to write rules regarding DHCP
>
> The rule is
>
> "detect all attempts to exploit this vulnerability. In particular, it should
> detect attempts by any computer making DHCP requests where hte Hlen field has
> an invalid value, and where the following byte-code sequence is found anywhere
> in the Sname or File fields. The byte-code sequence should not be matched in
> any other field of the request. The byte-code sequence (in hexadecimal) is:
>
> 01 48 23 87 AB 1F FA 2C 9A 00 00 00 00 21 FF FF
>
> on detecction of such attack attempts, your rule should generate an alert with
> the message:
>
> "DHCP Service invalid input HLen attack detected".
>
> thanx

This looks like a question taken straight from an education course of some
kind. This is not the place to have other people do your homework for you.

-- 
Nigel Houghton
Office Linebacker
SF VRT


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users