On 0, "Esler, Joel - Contractor" <joel.esler@rcert-s.army.mil> allegedly wrote:
I would consult the docs, this rule would be alot to explain..
The doc will tell you what the underlying vulnerability detection is aimed at.
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Wohlberg,
Jonathan
Sent: Monday, September 13, 2004 8:26 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] help with LSASS rule
I am trying to figure out how this rule works. Any help breaking it down
would be appreciated.
This is not a very simple rule to explain, the notable piece though is:
flowbits:isset,netbios.lsass.bind.attempt;
Which means that for this rule to generate an event, a previous rule that sets
the
value netbios.lsass.bind.attempt must also meet certain conditions.
Essentially, the
previous rule makes sure that a bind attempt has been made before any
potentially
malicious content gets sent to generate an event from this particular rule.
So, to understand what is happening in total, you must also look for the
rule(s) that
do this:
flowbits:set,netbios.lsass.bind.attempt;
Jon
+-------------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
"Dude, dolphins are intelligent and friendly!" - Wendy
"Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
