[Snort-sigs] Question about sid: 1002

daniel.clemens daniel_clemens at ...842...
Thu Apr 3 11:09:22 EST 2003


On 3 Apr 2003, Paul Schmehl wrote:

> On Thu, 2003-04-03 at 09:05, Brian wrote:
> >
> > Because you would not pick up the scanners that just look for cmd.exe
> >
> OK, but in order to actually exploit the vulnerability, don't you have
> to use the question mark format?

Nope... Not necessarily.

-Dan
> (The problem I'm seeing is FPs every time someone runs WindowsUpdate,
> which is quite frequent on our campus.  It obscures the boxes that are
> actually infected with CodeRed.)
>
> --
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb:
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens
-------------------------------------------------------------------------------------------------------------
Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200 | 877.806.8928
--------------------------------------------------------------------------------------------------------------





More information about the Snort-sigs mailing list