[Snort-sigs] Solaris lpd exploit sig

Matt Kettler mkettler at ...189...
Fri Jun 28 12:14:01 EDT 2002

The hex vs string really doesn't much matter AFKAIK, but the repeated 
sequence of the same character at the beginning of the content: section is 
particularly painful for the string matching engine snort uses. If at all 
possible you should *really* avoid such content patterns. I know that a 
large number of //'s is a core part of the exploit, but it's very very 
painful for a BM string search to execute.

You should also strongly consider adding the LPD port 515 instead of any on 
the destination, your text mentions it but the rule lacks it.

I might suggest this rule instead:

alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"Solaris LPD exploit"; 
flags: A+; \
                 content:"/KARMAPOLICE"; nocase;\
                 reference:url,online.securityfocus.com/archive/1/275456; \
                 classtype:attempted-admin; sid:1000002; rev:2;)

At 03:18 PM 6/21/2002 +0600, you wrote:
>first i don't know if putting content in |hex| will speed things up rather 
>then putting a string,
>second is i am not sure if signature should only look for a lot of '/'es 
>going to port 515 (w/o KARMAPOLICE string), but in original exploit 
>'KARMAPOLICE' string is there, so here is the sig:
>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Solaris LPD exploit"; 
>flags: A+; \
>content:"/////////////////////////////KARMAPOLICE"; nocase; \
>                                   content:"|2F 2F 2F 2F 2F 2F 2F 2F 4B 41 
> 52 4D 41 50 4F 4C 49 43 45 0A|"; \
>reference:url,online.securityfocus.com/archive/1/275456; \
>                                   classtype:attempted-admin; sid:1000002; 
> rev:1;)
>Sponsored by:
>ThinkGeek at http://www.ThinkGeek.com/
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list