[Snort-sigs] [Fwd: Updated mIRC Signature]

Matthew Jonkman matt at ...2436...
Tue Jun 29 21:04:02 EDT 2004

Updated by Syke. Update is posted.

Thanks Syke

Here's an updated version, revised the way Matthew recommended. I tested
it somewhat with different characters and lengths, and didn't find any
false positives, but if anyone does find any just have them post to the
snort-sigs list and I'll see what I can do. The rule is as follows:

alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"mIRC <=6.12 DCC
Buffer Overflow"; flow:to_client, established; content:"DCC SEND ";
isdataat:100, relative; \
nocase; reference:bugtraq,8880; classtype:attempted-dos; rev:3)

More information about the Snort-sigs mailing list