[Snort-sigs] wrong signature
athomas at ...681...
Mon Jan 13 12:23:09 EST 2003
I am trying to get some help regarding the slapper worm signature that
snort has -
alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper
worm admin traffic";
content:"|0000 4500 0045 0000 4000|"; offset:0; depth:10;
ents.org/analysis.html?id=167; sid:1889; rev:3;)
Is the signature trying to match | 4500 0045 0000 4000 | , which is the
initial part of the ip header ?
In that case, the initial 0000 is not needed, right ?
Otherwise, it would be incorrect.
If I am missing something, please correct me.
I had sent a mail regarding this, but snort-rules still has the same
Thanks a lot,
College of Computing
More information about the Snort-sigs