[Snort-sigs] More: Question on SID 285

Steven Alexander alexander.s at ...1565...
Tue Jun 10 17:55:07 EDT 2003


The following rule would detect shellcode for a pop2 exploit containing
the correct "/bin/sh".  



alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux
overflow"; flow:to_server,established; content:"|ffff ff2f 6269 6e2f
7368 00|"; classtype:attempted-admin; sid:XXXX; rev:6;) 



I'm not sure if this should be a new rule or if 285 should be changed.
My argument would be for a new rule.  It is possible that there are both
working and disabled exploits available.  The exploit code that I found
contained another incorrect variant of "/bin/sh".  That variant is
detected by the rule listed below.  


alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux
overflow"; flow:to_server,established; content:"|ffff ff0f 4249 4e0f
5348 00|"; classtype:attempted-admin; sid:XXXX; rev:6;) 


I realize that this is for an old exploit and I apologize if anyone
thinks this is a waste of time.

-steven




More information about the Snort-sigs mailing list