[Snort-sigs] Crusoe Researches offer new rule for detecting VMware auth overflow attempt!

JJ Cummings cummingsj at ...2420...
Sun Jan 4 20:43:16 EST 2009


wasn't advertising on this list addressed already?


On Jan 4, 2009, at 10:34 AM, rmkml wrote:

> Hi,
>
> Crusoe Researches offering a new rule for detecting VMware auth  
> overflow attempt:
> http://www.Crusoe-Researches.com/en/vmwareauthoverflow.txt
> remember to adjust the EXTERNAL_NET/HOME_NET variable!
>
> Credits:
> Crusoe Researches
> http://www.Crusoe-Researches.com
> contact at ...3281...
> => Crusoe Researches have more than 3735 UNIQ 'snort' rules for  
> Commercial Access
>            (Contact me directly if you are interested)
>
> Crusoe Researches support Bro idps v1.4.6 project format rules
> (http://www.bro-ids.org/):
> signature sid-93735 {
>  ip-proto == tcp
>  dst-port == 912
>  event "MISC VMware authd USER overflow attempt"
>  tcp-state established,originator
>  payload /.*USER [^\n]{100}/
>  }
>
> Happy New Year
> Regards
> Rmkml
> Crusoe-Researches.com
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090104/40e33bcc/attachment.html>


More information about the Snort-sigs mailing list