[Snort-users] snort attacks

Steve Moran SteveM at ...2142...
Tue May 29 17:37:20 EDT 2001


I appreciate your effort, but your looking deeper than I was.  The
particular rule or attack signature I used as an example was just that, an
example.  What I was shooting for was, well when someone writes the snort
attack rules, they are trying to detect a particular vulnerability or attack
type, snort logs this attack and I'm using acid to view some information
about it, now I get this ACID report and many of the attacks I see I
understand what the goal of the attack was or what the exploit the attacker
was looking for.  I was simply looking for a better description of the
ruleset, something like   
x86 NOOP - unicode BUFFER OVERFLOW ATTACK	- this rule is checking to
see if you turned off the left handed smoke shifter on a windows nt box, you
should install patch xxx from microsoft to disable this vulnerability.  only
windows machine are vulnerable to this attack blah blah blah
You know what I mean?

-----Original Message-----
From: Max Vision [mailto:vision at ...4...]
Sent: Tuesday, May 29, 2001 3:26 PM
To: Steve Moran
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] snort attacks



You would need to consider the context and additional details surrounding
this alert.  What service was receiving this packet (as judged by the port
numbers)?  What OS is the machine running?  What were the contents of the
packet?  Where there other probes from the same source IP that preceded
this alert, like a portmap probe?

Also what is the unicode reference, can you post the rule you used that
caused this?

Max

On Tue, 29 May 2001, Steve Moran wrote:
> Where can I find a description of the attacks or the exploit someone is
> trying to use?  For example, if I see this type of attack is occurring
> x86 NOOP - unicode BUFFER OVERFLOW ATTACK
>
> How would I know what they are trying for?
>




More information about the Snort-users mailing list