[Snort-users] RPC + snort

Jill Tovey jill.tovey at ...8678...
Fri May 2 07:56:47 EDT 2003


Hi All,

I am looking at an RPC attack generated by the sidestep tool.  The
attack works by using null-byte encoding to attempt to evade snort.
However, this tool is quite old and snort has since been updated and can
detect this attack - I am just wondering if anyone can explain how
exactly snort can detect this?

I am guessing it might be something to do with the rpc-decode rule,
however, someone with more knowledge on the subject than I has suggested
that it is because snort has a signature for target machine RPC replies
- can anyone explain it?









More information about the Snort-users mailing list