[Snort-sigs] yppasswd exploit

Chris Green cmg at ...26...
Tue Feb 5 19:05:06 EST 2002


"Nathan W. Labadie" <ab0781 at ...334...> writes:

> I've attached a tcpdump of the yppasswd exploit that I've been seeing 
> lately. Currently snort detects it as "SHELLCODE sparc NOOP", usually 
> after "RPC portmap request yppasswd". All of the yppasswd exploits I've 
> seen lately have been identical. It'd be much appreciated if someone could 
> code a rule from this. Can't be based on dst port either... the service (I 
> believe) runs on random ports < 1024.
>
> Thanks,
> Nate

Do you have any legit yppasswd traffic? If its a wee bit sensitve,
feel free to send to me directly and I'll try to write a rule for it
but getting anything better than the noops stuff will be difficult
without seeing more of hte traffic
-- 
Chris Green <cmg at ...26...>
Let not the sands of time get in your lunch.




More information about the Snort-sigs mailing list