[Snort-sigs] help with 2 rules

Rowland, Krisa W ERDC-ITL-MS Contractor Krisa.W.Rowland at ...2112...
Wed Mar 2 13:08:08 EST 2005

I used to find links to the vulnerabilities in the sigs?  Can you help me
understand these two alerts?  
I believe this one is a chat alert?
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC -
Nick change on non-std port"; content:"NICK "; offset:0; depth:5; nocase;
dsize:<64; flow:to_server,established; tag:session,300,seconds;
classtype:trojan-activity; sid:2000345; rev:3;)



I have no idea what this exploit is for??


alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit
ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established;
content: "|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:
4,>,256,17,relative;  content: "tRNS"; distance: 4; classtype:misc-attack;
sid:2001723; rev:2;)


Krisa Rowland

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050302/e4ba701f/attachment.html>

More information about the Snort-sigs mailing list