[Snort-sigs] Avoidance of 2597.2 (WEB-MISC Samba SWAT Authorization overflow attempt)

Brian bmc at ...95...
Wed Aug 4 14:24:11 EDT 2004


On Wed, Aug 04, 2004 at 02:38:00PM -0600, nnposter at ...592... wrote:
> Current version of the rule incorrectly assumes specific spacing. 
> As a result, an attacker can easily get around the signature.

Go read the source to SWAT.  It requires explicit spacing.

rev 1 had more better evasion foo, but this is specific to SWAT.

-b




More information about the Snort-sigs mailing list