[Snort-users] newbie question ....

McCammon, Keith Keith.McCammon at ...3497...
Tue Sep 10 13:37:05 EDT 2002


By looking at the packet captures and determining patterns.  Patterns may be related the network service in use (i.e., Kerberos), or they may be related to the exploit itself.  A common example would be [insert lame IIS exploit here], which usually involves sending packets that contain at least X number of characters, where X is a number just higher than that which the system can appropriately process.  

> -----Original Message-----
> From: Ryan Hairyes [mailto:rhairyes at ...6860...]
> Sent: Tuesday, September 10, 2002 4:17 PM
> To: Erek Adams
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] newbie question ....
> 
> 
> Yes it does ... thanks ...  that does clear it up a lot for
> me ... but I was still wondering how they got the >120 ... 
> that isn't the 
> infection size... is it?
> 
> Thanks again.
> 
> Quoting Erek Adams <erek at ...577...>:
> 
> : On Tue, 10 Sep 2002, Ryan Hairyes wrote:
> : 
> : > Im new to snort .... and I was wondering if someone maybe 
> able to point
> : me
> : > in the right direction.  My question is .... how do you 
> determine the
> : > DSIZE when using the dsize option.  I noticed with the 
> virus.rules file
> : the
> : > klez alert that the dsize is set to >120.  Thanks for the help.
> : 
> : Sure.
> : 
> : http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.8
> : 
> : "The dsize option is used to test the packet payload size. 
> It may be set to
> : any value, plus use the greater than/less than signs to 
> indicate ranges and
> : limits. For example, if you know that a certain service has 
> a buffer of a
> : certain size, you can set this option to watch for attempted buffer
> : overflows.
> : It has the added advantage of being a much faster way to 
> test for a buffer
> : overflow than a payload content check."
> : 
> : Does that help?
> : 
> : -----
> : Erek Adams
> : Nifty-Type-Guy
> : TheAdamsFamily.Net
> : 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list