[Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

Smith, Donald Donald.Smith at ...89...
Mon Jul 21 05:26:04 EDT 2003

The content is very easy to change:-)
Its just a for loop incrementing by 1.

> Also, a number of people have posted sigs that are not only matching
> based on IP protocol number, but also on content.  Obviously this will
> only catch the *tool* being used, and not the *exploit* which is far

	_Excellent_ point.  It might even make sense to use both sets of

rules; the content-specific rules to identify that the original tool is 
being used, and the more generic protocol-only rules afterwards to show 
that someone's trying to exploit those protocols, but they're using a 
different tool.
	- Bill

        "Cogito ergo sum...cogito."
(Courtesy of Bob Hillery <rhillery at ...1687...>)
William Stearns (wstearns at ...157...).  Mason, Buildkernel, freedups,
rsync-backup, ssh-keyinstall, dns-check, more at:
Linux articles at:

More information about the Snort-sigs mailing list