[Snort-sigs] yppasswd exploit
cmg at ...26...
Tue Feb 5 19:05:06 EST 2002
"Nathan W. Labadie" <ab0781 at ...334...> writes:
> I've attached a tcpdump of the yppasswd exploit that I've been seeing
> lately. Currently snort detects it as "SHELLCODE sparc NOOP", usually
> after "RPC portmap request yppasswd". All of the yppasswd exploits I've
> seen lately have been identical. It'd be much appreciated if someone could
> code a rule from this. Can't be based on dst port either... the service (I
> believe) runs on random ports < 1024.
Do you have any legit yppasswd traffic? If its a wee bit sensitve,
feel free to send to me directly and I'll try to write a rule for it
but getting anything better than the noops stuff will be difficult
without seeing more of hte traffic
Chris Green <cmg at ...26...>
Let not the sands of time get in your lunch.
More information about the Snort-sigs