[Snort-users] Re: snort

Phil Wood cpw at ...440...
Wed Jul 30 11:10:06 EDT 2003


http://securityfocus.com/archive/1/330574/2003-07-20/2003-07-26/0

On Wed, Jul 30, 2003 at 10:25:15AM -0600, asclark wrote:
> Hey thanks for the improved rule. I've tested it with my IDS using both
> scanners and actual exploit code and it doesn't detect anything, even
> after attacking the IDS machines directly. It's possible it is simply not
> compatible with the IDS that I run (snort based so it should be), but
> hopefully others can test/use it.
> 
> It looks right to me though. It's pretty much the same as what I was
> working on except for the content strings to match on.
> 
> Did you get it off a site or did you write it? If you wrote it yourself
> I'd be very interested to know how you got the content data. I tried
> sniffing packets and performing the attack but I couldn't get any
> consistant data that I could use for detection with either tcpdump or
> ethereal. Otherwise could you point me to the site you got it from ?
> 
> THanks
> 
> A.
> 
> ??????????????????????????????????
> ?      Anthony S. Clark          ?
> ?      asclark at ...440...          ?
> ? Los Alamos National Laboratory ?
> ? 0 1 1 3 5 8 13 21 34 55 89 144 ?
> ??????????????????????????????????
> 
> On Tue, 29 Jul 2003, Susan Coulter wrote:
> 
> >
> >
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DCE RPC
> > Interface Buffer Overflow Exploit"; content:"|00 5C 00 5C|";
> > content:!"|5C|"; within:32; flow:to_server,established;
> > reference:Bugtraq,8205; rev: 1; )
> >
> > On Tuesday 29 July 2003 14:51, asclark wrote:
> > > This is kind of a kludge, but this is what i'm using right now. I just
> > > made the SID up, but I have tested this with actual exploit code and the
> > > IDS picks it up.
> > >
> > >
> > > alert tcp $EXTERNAL_NET any <> $HOME_NET 135 (msg:"BAD TRAFFIC tcp port
> > > 135 traffic"; classtype:misc-activity; sid:52402020202; rev:6;)
> > >
> > > A
> > >
> > > ??????????????????????????????????
> > > ?      Anthony S. Clark          ?
> > > ?      asclark at ...440...          ?
> > > ? Los Alamos National Laboratory ?
> > > ? 0 1 1 3 5 8 13 21 34 55 89 144 ?
> > > ??????????????????????????????????
> >

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list