[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] telnetd exploit signature issue
From:       Keith Pachulski <Keith.Pachulski () corp ! ptd ! net>
Date:       2001-07-25 19:20:23
[Download RAW message or body]

when testing the signature against an a noted vulnerable version of *bsd the
"content" differed from the content in the sig posted on the snort website.
below is the snort sig and the edited sig with the differing content..

#alert tcp $HOME_NET 23 -> any any (flags: A+; content: "|0D0A|[Yes]|0D0A
FFFE 08FF FD26|"; msg: "TESO *BSD Telnet exploit query response";)

alert tcp $HOME_NET 23 -> any any (flags: A+; content: "|0D0A FFFE 08FF
FE26|"; msg: "re-edit of TESO *BSD Telnet exploit query response";)

07/25-12:18:43.518207 x.x.x.1:23 -> x.x.x.54:4274
TCP TTL:64 TOS:0x0 ID:58530 IpLen:20 DgmLen:90 DF
***AP*** Seq: 0x39EFAC5D  Ack: 0x398B6EDC  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1251212454 16932189 
<snip>
70 74 64 2E 6E 65 74 20 3A 20 79 65 73 5D 0D 0A  ptd.net : yes]..
FF FE 08 FF FE 26                                .....&
</snip>

-Keith

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-sigs

[prev in list] [next in list] [prev in thread] [next in thread]