[Snort-sigs] netric/eSDee dhcpd exploit rule.

Alberto Gonzalez albertg at ...1415...
Thu Apr 10 07:31:05 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I haven't been following the list much, so excuse me if someone already 
did this. I had this sitting on the laptop for awhile. 

alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg: "netric/eSDee dhcpd 
exploit"; content: "|2e 25 30 38 78 2e 25 30 38 78|"; reference: cve, 
CAN-2002-0702; classtype: attempted-admin; rev:1;)

I'm sure there is room for improvement, but it got the job done down here 
with no FP's when ran through normal.pcap.. 

 Cheers,
 Alberto Gonzalez 


[1] - http://www.wwjh.net/~albertg/dhcp-expl.tgz

	Contains the pcaps I used for exploit & normal traffic. As well as 
        the signature itself. 

- -- 
"Success comes to the person who does today, what you are thinking of doing tomorrow." 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+lX/6a3vAB/3yp/IRAvoUAKCNzaH8Hhtgw6NI2vbm5jaV48gCywCgsl0I
9HetmC7N2PDQErjyOXGihBY=
=N0Jx
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list