[Snort-sigs] Witty signature

Brian bmc at ...95...
Sat Mar 20 13:58:02 EST 2004


On Sat, Mar 20, 2004 at 05:17:35AM -0600, todb at ...794... wrote:
> Pretty easy one:

Yeah, except those are easily evadable.  Try these on for size.

alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:2;)
alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:2;)
alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:2;)
alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:2;)

BTW, ISS has a nifty feature I wish more people would support...
dumping all of the registers when the decoder crashes.  Well, all of
them except EIP.  I guess they don't want their products used to write
exploits for... their products.

Brian




More information about the Snort-sigs mailing list