[Snort-users] Urgent!! ddos-stacheldraht server-spoof

Max Vision vision at ...4...
Fri Mar 30 22:37:09 EST 2001


Well, the ICMPID of 666 is certainly suspicious, however now that I look
back at the data, it looks like the packets will usually be padded with
zeros (http://whitehats.com/info/IDS193)

Actually, I think this signature needs to be revised, as now that I think
of it, those "????" in the payload are very familiar... what is that
napster?  guh...

I will change this rule to include "dsize: >32;" which should mitigate
these until it can be sorted out.



More information about the Snort-users mailing list