[Snort-sigs] More poorly performing GID 3 rules....

Patrick Mullen pmullen at ...435...
Wed Feb 3 13:07:06 EST 2010


Actually, both of those rules are open source if you want to look at
their source code.

bad-traffic_pgm-nak-overflow.c
p2p_winny.c

Not all SO rules are closed source.  Many SO rules are C code because
they do much more than the standard rules library allows; despite
popular opinion, rules aren't compiled only to obfuscate the
detection.  :)


Hope this helps,

~Patrick

On Wed, Feb 3, 2010 at 12:49 PM, Guise McAllaster
<guise.mcallaster at ...2420...> wrote:
> More poorly performing GID 3 rules that I cannot understand without
> reversing because they are compiled and the source is not released.
>
> 7019 - P2P WinNY connection attempt
> 8351 - BAD-TRAFFIC PGM nak list overflow attempt
>
> Srsly, is there any good reason these are protected by closed source?
> Maybe I can understand 8351 if it is part of your deal with MS but
> WinNY???  And don't get me started on the SMB hogs....
>
> Guise
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list