Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 030859.html (Request Expert securityfocus.com Support)

Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit

From: Martin Roesch <roesch(at)sourcefire.com>
Date: Fri Mar 14 2003 - 00:02:59 EST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, March 11, 2003, at 12:32 AM, Loki wrote:

> One thing to mention, the exploit wouldn't have triggered any of the
> "official" snort rules in my post as I disabled all rules except for my
> own custom rules file: fatelabs.rules.

Sid numbering:

0-100: Reserved for Marty
101-1000000: Snort.org "official" rules
1000001-2^32: Userland.

> Your confusion as to why the official snort rules using depth and mine
> which do not, both causing it to trigger really has nothing to do with
> depth. Specifying depth tells Snort not to look past 'n' bytes within
> the packet (a way of increasing the speed of Snort processing packets.

There's a big difference between using the depth/offset options properly and incorrectly. When used properly (which usually requires an intimate knowledge of the protocol you're analyzing) it works very well, people who are inexperienced with Snort and network protocol analysis should think twice about using these options.

     -Marty

Do you need help?X

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+cWKLqj0FAQQ3KOARAqQTAJ9fDUgq8j+T5w/lxE1HCeNxp5xHmwCfXFNf 3GbNE3YsqnyW+aVxOUnrXr4=
=mKXU
-----END PGP SIGNATURE-----

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> Received on Fri Mar 14 12:30:57 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:00 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library