[Snort-sigs] Solaris lpd exploit sig

Martin Roesch roesch at ...435...
Mon Jun 24 21:49:07 EDT 2002


There's no performance difference between hex and regular text encoding in
Snort rules....

     -Marty


On 6/21/02 5:18 AM, "Meder Baike" <meder at ...643...> wrote:

> first i don't know if putting content in |hex| will speed things up rather
> then putting a string,
> second is i am not sure if signature should only look for a lot of '/'es going
> to port 515 (w/o KARMAPOLICE string), but in original exploit 'KARMAPOLICE'
> string is there, so here is the sig:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Solaris LPD exploit";
> flags: A+; \
> #                
> content:"/////////////////////////////KARMAPOLICE"; nocase; \
>                                 content:"|2F 2F 2F 2F 2F 2F 2F 2F 4B 41 52 4D
> 41 50 4F 4C 49 43 45 0A|"; \
>                  
> reference:url,online.securityfocus.com/archive/1/275456; \
>                                 classtype:attempted-admin; sid:1000002;
> rev:1;)
> 
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...435... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-sigs mailing list