RE: [Snort-users] Re: [Snort-sigs] Possible improvements to pop3 rules.
This is a discussion on RE: [Snort-users] Re: [Snort-sigs] Possible improvements to pop3 rules. within the Snort forums, part of the System Security and Security Related category; Here's the ultimate signature set to catch 0.000000000001 day `sploits..... =20 Alert tcp any any -> any any (...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-04-2005
|
|||
|
|||
RE: [Snort-users] Re: [Snort-sigs] Possible improvements to pop3 rules.
Here's the ultimate signature set to catch 0.000000000001 day
`sploits..... =20 Alert tcp any any -> any any (msg:"0-day Exploit Rule for tcp"; classification:oh-sh*t; rev:1;) Alert udp any any -> any any (msg:"0-day Exploit Rule for Udp"; classification:oh-sh*t; rev:1;) Alert icmp any any -> any any (msg:"O-day exploit rule for ICMP"; classification:oh-sh*t; rev:1;) -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jeff Kell Sent: Wednesday, May 04, 2005 1:15 AM To: Erik de Castro Lopo; snort-users@lists.sourceforge.net Subject: [Snort-users] Re: [Snort-sigs] Possible improvements to pop3 rules. Erik de Castro Lopo wrote: > So, two questions: >=20 > 0) Are rule optimisations like this valid? YES YES YES! > 1) Are optimisations like this worthwhile? YES YES YES! And anybody out there who has a non-zero packet loss that tries to tell you otherwise should be null-routed, dropped, rejected, and/or ignored! It certainly isn't as "glamorous" or "cool" as trying to create the ever elusive 0.0000001-day exploit signature, but it is certainly appreciated by those of us without the time/energy/patience to re-create the wheel. "We're really serious about reinventing everything that needs reinventing." --Larry Wall Faster is almost always better :-) Jeff ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=3D20 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
