[Snort-users] snmpXdmi rule

Borja Marcos borjam at ...778...
Thu Apr 19 03:19:49 EDT 2001


On Thursday 19 April 2001 08:15, you wrote:
> 1.7 version
> ---
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow
> attempt"; flags:a+; content:"|8000 19a0|"; offset:4; depth:4;
> content:"|00018799|"; offset: 16; reference:bugtraq,2417;
> reference:cve,CAN-2001-0236;)

	1.7 detects it as a "rstatd" probe. Searching for the hex data
"018799" in the payload of the packets can show the attempts.



	Borja.





More information about the Snort-users mailing list