[Snort-users] strange rules in overflow-lib

lmonin at ...252... lmonin at ...252...
Sun Aug 20 06:01:51 EDT 2000


Hi,


	i found these rules in overflow-lib:

alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-CSMMail";flags:PA; content:"eb53 eb20 5bfc 33c9 b182 8bf3 802b";) 
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-MailMax";flags:PA; content:"eb45 eb20 5bfc 33c9 b182 8bf3 802b";) 

Pipe symbols arent missing ? I propose content:"|eb45 eb20 5bfc 33c9 b182 8bf3 802b|" instead 

	
alert TCP !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP"; flags:PA; content:"|0821 0280 0821 0280 0821 0280 08210 0280|";)

content seems to be too long (perhaps a typo ), i would replace it by  
	content:"|0821 0280 0821 0280 0821 0280 0821 0280|";)

	Please check if i'm  wrong

	Zas
	





More information about the Snort-users mailing list