[Snort-users] RPC + snort
jill.tovey at ...8678...
Fri May 2 07:56:47 EDT 2003
I am looking at an RPC attack generated by the sidestep tool. The
attack works by using null-byte encoding to attempt to evade snort.
However, this tool is quite old and snort has since been updated and can
detect this attack - I am just wondering if anyone can explain how
exactly snort can detect this?
I am guessing it might be something to do with the rpc-decode rule,
however, someone with more knowledge on the subject than I has suggested
that it is because snort has a signature for target machine RPC replies
- can anyone explain it?
More information about the Snort-users