[Snort-sigs] Crusoe Researches offer new rule for detecting VMware auth overflow attempt!

rmkml rmkml at ...324...
Sun Jan 4 12:34:53 EST 2009


Hi,

Crusoe Researches offering a new rule for detecting VMware auth overflow attempt:
http://www.Crusoe-Researches.com/en/vmwareauthoverflow.txt
remember to adjust the EXTERNAL_NET/HOME_NET variable!

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact at ...3281...
=> Crusoe Researches have more than 3735 UNIQ 'snort' rules for Commercial Access
            (Contact me directly if you are interested)

Crusoe Researches support Bro idps v1.4.6 project format rules
(http://www.bro-ids.org/):
signature sid-93735 {
  ip-proto == tcp
  dst-port == 912
  event "MISC VMware authd USER overflow attempt"
  tcp-state established,originator
  payload /.*USER [^\n]{100}/
  }

Happy New Year
Regards
Rmkml
Crusoe-Researches.com




More information about the Snort-sigs mailing list