> I find another signature... It uses more long content, so more exact.
> Isn't it?
No. The SANS signature is merely a harder-to-read hex version with some
extra characters and extra source ports.
> alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";content:"
> |29202020202020696e73657274207769747479206d6573736167652068657265|";rev:1;)
i n s e r t
..etc.
There are better signatures for Snort 2.x that track the vulnerability,
not the exploit. Check the snort-sigs list for details.
- Tod (writing this 3/25/2004, let's see when the moderator approves...)
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303
Barfield Road, Atlanta, Georgia, USA 30328.
