[Snort-sigs] Solaris lpd exploit sig

Meder Baike meder at ...643...
Fri Jun 21 18:21:04 EDT 2002

first i don't know if putting content in |hex| will speed things up rather then putting a string,
second is i am not sure if signature should only look for a lot of '/'es going to port 515 (w/o KARMAPOLICE string), but in original exploit 'KARMAPOLICE' string is there, so here is the sig:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Solaris LPD exploit"; flags: A+; \
#                                 content:"/////////////////////////////KARMAPOLICE"; nocase; \
                                  content:"|2F 2F 2F 2F 2F 2F 2F 2F 4B 41 52 4D 41 50 4F 4C 49 43 45 0A|"; \
                                  reference:url,online.securityfocus.com/archive/1/275456; \
                                  classtype:attempted-admin; sid:1000002; rev:1;)

More information about the Snort-sigs mailing list