[Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

Smith, Donald Donald.Smith at ...89...
Mon Jul 21 05:26:04 EDT 2003


The content is very easy to change:-)
Its just a for loop incrementing by 1.


> Also, a number of people have posted sigs that are not only matching
> based on IP protocol number, but also on content.  Obviously this will
> only catch the *tool* being used, and not the *exploit* which is far

	_Excellent_ point.  It might even make sense to use both sets of

rules; the content-specific rules to identify that the original tool is 
being used, and the more generic protocol-only rules afterwards to show 
that someone's trying to exploit those protocols, but they're using a 
different tool.
	Cheers,
	- Bill

------------------------------------------------------------------------
---
        "Cogito ergo sum...cogito."
(Courtesy of Bob Hillery <rhillery at ...1687...>)
------------------------------------------------------------------------
--
William Stearns (wstearns at ...157...).  Mason, Buildkernel, freedups,
p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:
http://www.stearns.org
Linux articles at:
http://www.opensourcedigest.com
------------------------------------------------------------------------
--




More information about the Snort-sigs mailing list