[Snort-users] a new worm 4 linux - Adore

Max Vision vision at ...4...
Thu Apr 5 09:49:11 EDT 2001


On Thu, 5 Apr 2001, Max Vision wrote:
> http://whitehats.com/info/IDS457  LPRng-redhat7-overflow-security.is

On closer inspection (oops!) it looks like I did not write this rule, it
was contributed by NIT security.  Unfortunately I didn't have time to test
it after it was submitted, and it could use some improvement.

Most notably, the content field should key on the shellcode instead of the
format strings variable area towards the top of the packet.

I will fix this and push the update to the public site in a few minutes.

Max





More information about the Snort-users mailing list