[Snort-sigs] New Signature

Chris Green cmg at ...26...
Sat Jan 26 16:35:02 EST 2002


"Michael Anuzis" <michael_anuzis at ...12...> writes:

> I apologize for wasting everyone's time & e-mail space. This rule
> isn't completed yet. It only catches what it's supposed to catch when
> the attacker has it reply reporting a certain IP/port.
>
> The part of the datagram that does stay the same are these 6 bytes but
> for some reason (perhaps some syntax error) this rule won't catch the
> packet either:
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "SubSeven 2.2 SIN
> Beacon"; dsize: 14; content: "|8177 9e9c 696e|"; depth: 6;)
>
> The 6 bytes mentioned above are the first in the datagram so I
> mentioned no offset, but for some reason it still won't catch. If any
> of the core developers knows what may be wrong feel free to fix it,
> otherwise I guess we can drop it here.


It's not a problem.  We need all the help we can get researching these
rules.  I don't have pairs of windows machines on any of my networks
that I can use for this so I would appreciate it if you could send
some tcpdump formatted packet logs to me or the list so we can
investigate whats going on with the rule.
-- 
Chris Green <cmg at ...26...>
A good pun is its own reword.




More information about the Snort-sigs mailing list