[Snort-sigs] SID 307 and SID 1382 misplaced?

Jon warchild at ...288...
Fri Jan 17 16:49:03 EST 2003


Any particular reason the two signatures below are in chat.rules and not
exploit.rules?  I know that they are both chat _and_ exploit related, but I
think they would be better off in exploit.rules.

alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"CHAT IRC EXPLOIT
topic overflow"; flow:to_client,established; content:"|eb 4b 5b 53 32 e4 83
c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672;
reference:bugtraq,573; classtype:attempted-user; sid:307; rev:5;)


alert tcp any any -> any 6666:7000 (msg:"CHAT IRC EXPLOIT Ettercap parse
overflow attempt"; flow:to_server,established; content:"PRIVMSG nickserv
IDENTIFY"; nocase; offset:0; content:!"|0a|"; within:150;
reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack;
sid:1382; rev:6;)

thoughts?

-jon





More information about the Snort-sigs mailing list