[Snort-sigs] Snort-Sig for Red Hat lpd buffer overflow.

Matt Kettler mkettler at ...189...
Thu Mar 28 08:58:03 EST 2002


bash$ grep -i "lpr" *.rules

exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT 
LPRng overf
low"; flags: A+; content: "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 
C0 FE C0
  CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A|"; reference:bugtraq,1712; 
classtype:a
ttempted-admin; sid:301; rev:1;)

exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT 
redhat 7.0
lprd overflow"; flags: A+; content:"|58 58 58 58 25 2E 31 37 32 75 25 33 30 
30 24 6E
|"; classtype:attempted-admin; sid:302; rev:1;)


virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark 
Trojan";
content:"\\CoolProgs\\";offset:300;depth:750; reference:MCAFEE,10175; 
sid:772;  clas
stype:misc-activity; rev:3;)


OK so the last one isn't it, but the middle one is quite possibly what you 
are looking for.

note: I'm using snort 1.8.2 at the moment, newer rulesets may have the 
appropriate reference: fields added, but in my version they don't have one.

At 10:48 PM 3/27/2002 -0500, Hessifer, Charles wrote:

>Looking for assistance tracking down the Snort signature for the lpd 
>buffer overflow.
>
>CVE:    CVE-2001-0670   VU#:274043
>CERT:   CA-2001-30
>
>Thanks,
>
>CH





More information about the Snort-sigs mailing list