[Snort-sigs] SubSeven Sigs

Chris Green cmg at ...435...
Tue Mar 12 14:05:03 EST 2002


counter.spy at ...52... writes:

> Can somebody give me a clue on how to find  unique patterns in  packets?
> Are there any tools that help finding such patterns

snort -dev 


What I typically do is run tcpdump -w exploit.cap -s 1500 -i eth0 and
then use ethereal or snort -dev -r exploit.cap to find them

Its pretty much eyeball intensive.  Use BPF to isolate the port
portion more.

If you would send some example packet captures I would gladly try to
help you though I wonder if S7 uses dynamic keying now..
-- 
Chris Green <cmg at ...435...>
A good pun is its own reword.





More information about the Snort-sigs mailing list