Re: [Snort-users] snort rule

From: rmkml <rmkml(at)free.fr>
Date: Wed Aug 29 2007 - 05:22:39 EDT

Hi lokesh,
maybe good starting with this :
  alert udp any any -> any 67 (msg:"DHCP Service byte-code sequence exploit detected"; content:"|01 48 23 87 AB 1F FA 2C 9A 00 00 00 00 21 FF FF|"; classtype:shellcode-detect; sid:999999; rev:1;) Finding your byte-code sequence on dhcp request is easy (byte-code sequence is long and reduce FP), and finding invalid input HLen on dhcp request is very hard. Best Regards
Rmkml

On Wed, 29 Aug 2007, lokesh sharma wrote:

> Date: Wed, 29 Aug 2007 18:42:55 +1000 (EST)
> From: lokesh sharma <lokeshpunjabi_1984@yahoo.com.au>
> To: Snort-users@lists.sourceforge.net
> Subject: [Snort-users] snort rule
>
> can you help me
> to write rules regarding DHCP
> The rule is
> "detect all attempts to exploit this vulnerability. In particular, it should detect attempts by any computer making DHCP requests where hte Hlen
> field has an invalid value, and where the following byte-code sequence is found anywhere in the Sname or File fields.
> The byte-code sequence should not be matched in any other field of the request. The byte-code sequence (in hexadecimal) is:
> 01 48 23 87 AB 1F FA 2C 9A 00 00 00 00 21 FF FF
> on detecction of such attack attempts, your rule should generate an alert with the message:
> "DHCP Service invalid input HLen attack detected".
>
> thanx
>
>
> ---------------------------------
> Get the World's number 1 free email service. Find out more.

---

This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Wed Aug 29 05:38:32 2007