[Snort-sigs] yppasswd exploit

Nathan W. Labadie ab0781 at ...334...
Tue Feb 5 12:36:08 EST 2002

I've attached a tcpdump of the yppasswd exploit that I've been seeing 
lately. Currently snort detects it as "SHELLCODE sparc NOOP", usually 
after "RPC portmap request yppasswd". All of the yppasswd exploits I've 
seen lately have been identical. It'd be much appreciated if someone could 
code a rule from this. Can't be based on dst port either... the service (I 
believe) runs on random ports < 1024.


Nathan W. Labadie       | ab0781 at ...334...	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yppasswd-exploit.cap
Type: application/octet-stream
Size: 826 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020205/cf01e5c6/attachment.obj>

More information about the Snort-sigs mailing list