[Snort-sigs] snort-rules STABLE update @ Sat Nov 16 19:30:32 2002

Brian bmc at ...95...
Sun Jan 26 17:27:07 EST 2003


On Mon, Nov 18, 2002 at 09:27:20AM -0500, Michael Scheidell wrote:
> On Sat, Nov 16, 2002 at 11:43:10PM -0500, bmc at ...95... wrote:
> > 
> > This rule update was brought to you by Oinkmaster.
> > Written by Andreas ?stling <andreaso at ...58...>
> 
> this one doesn't make any sense:
> there are two offset's in modified rule, one 0 bytes, one 2 bytes.
> is this correct?
> 
>     old: alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:
> "|0001|";
>  offset:0; depth:2; content:"nc.exe"; nocase; classtype:successful-admin;
> sid:14
> 41; rev:1;)
> 
>      new: alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:
> "|0001|";
>  offset:0; depth:2; content:"nc.exe"; offset:2; nocase;
> classtype:successful-adm
> in; sid:1441; rev:2;)

well, we know nc.exe isn't going to be within the first 2 bytes, so skip
em.

-brian




More information about the Snort-sigs mailing list