[Snort-sigs] Solaris lpd exploit sig

Chris Green cmg at ...435...
Fri Jun 28 12:45:01 EDT 2002

Matt Kettler <mkettler at ...189...> writes:

> The hex vs string really doesn't much matter AFKAIK, 

It's all transmuted into bytes anyway and then compared. If things
that are ascii are stored in ascii, its easier to read and analyze
signatures manually.  Humans are funny like that :-)

> but the repeated sequence of the same character at the beginning of
> the content: section is particularly painful for the string matching
> engine snort uses. If at all possible you should *really* avoid such
> content patterns. I know that a large number of //'s is a core part
> of the exploit, but it's very very painful for a BM string search to
> execute.

The longer strings are better than the shorter patterns :-) Don't
worry much about implementation level details like that when desiging
patterns.  Worry more about making correct patterns when writing

> You should also strongly consider adding the LPD port 515 instead of
> any on the destination, your text mentions it but the rule lacks it.

Chris Green <cmg at ...435...>
"Yeah, but you're taking the universe out of context."

More information about the Snort-sigs mailing list