[Snort-sigs] new rule for detect LPD on hpux

rmkml rmkml at ...324...
Thu Oct 27 02:15:07 EDT 2005


Hi,

please check and add this new rule :

exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT 
HPUX LPD overflow attempt"; flow:to_server,established;
content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136;
  classtype:attempted-dos; )

This rule detect exploit on lpd over hpux with "${IFS}" content (msf 
exploit), but this rule not detect shell metacharacters ("`" or single 
backquote).

Improve are welcome.

Regards
Rmkml





More information about the Snort-sigs mailing list