Hosting Provided By

[Snort-sigs] netric/eSDee dhcpd exploit rule.

From: Alberto Gonzalez <albertg(at)wwjh.net>
Date: Thu Apr 10 2003 - 10:30:16 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I haven't been following the list much, so excuse me if someone already did this. I had this sitting on the laptop for awhile.

alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg: "netric/eSDee dhcpd exploit"; content: "|2e 25 30 38 78 2e 25 30 38 78|"; reference: cve, CAN-2002-0702; classtype: attempted-admin; rev:1;)

I'm sure there is room for improvement, but it got the job done down here with no FP's when ran through normal.pcap..

Cheers,
Alberto Gonzalez

[1] - http://www.wwjh.net/~albertg/dhcp-expl.tgz

	Contains the pcaps I used for exploit & normal traffic. As well as 
        the signature itself.

-- "Success comes to the person who does today, what you are thinking of doing tomorrow."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+lX/6a3vAB/3yp/IRAvoUAKCNzaH8Hhtgw6NI2vbm5jaV48gCywCgsl0I 9HetmC7N2PDQErjyOXGihBY=
=N0Jx
-----END PGP SIGNATURE-----

This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu Apr 10 11:15:50 2003

Do you need help?

This message: [ Message body ]
Next message: William_Metcalf(at)kcmo.org: "[Snort-sigs] snort 1.9.x signatures and snort 1.8.x signatures"
Previous message: Chris Green: "Re: [Snort-sigs] tftp rules classtypes confusing"
In reply to Bob Dehnhardt: "[Snort-sigs] Scan on tcp 13000"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:26 EDT