[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Re: [Snort-users] dns.rules... Snort Rule ID: 259 named overflow
From:       Brian Caswell <bmc () mitre ! org>
Date:       2001-07-17 12:32:37
[Download RAW message or body]

Dragos Ruiu wrote:
> 
> Quick questions to the snorting world about this rule...
> Explanation first... it contains a big ass long string the
> exploit uses as:
> 
> "thisissometempspaceforthesockinaddrinyeahiknowthisislamebutanywayhorizongotitworkingsoalliscool"
> 
> Which seems like a lot of needless searching that it makes snort go through
> and a mild waste of cpu when (content:"workingsoalliscool"; offset:xx) would
> seem to be more efficient and sufficient.... (And besides, the real reason that
> I'm complaining is that it looks damn ugly on my html tables in the rules
> editor... :-)
> 
> But more importantly, this would seem to catch the precanned sploit kiddies but
> be vulnerable to evasion by any sentient with more than two brain cells to rub
> together....
> 
> Does anyone have a better sig for Horizon's sploit we could use?
> (Is Horizon on any of these lists to answer?)

Correct me if I am wrong, but I thought other rules caught this
exploit. 

I don't like signatures like this signature (or any of the "ADMROCKS"
signatures for that matter) because they look for specific filler
text.  Usually there is something better that you can look for.  The
only benifit to these style signatures is that you can find what
actual exploit was used much easier.

Our network attack lab is currently in shambles.  Once it is in a
usable state, I'll look at building a signature that doesn't look for
the filler.

-brian

-- 
Brian Caswell
The MITRE Corporation

[prev in list] [next in list] [prev in thread] [next in thread]