I think this rule was meant to be content:!"|00|"; instead of
content:!"00"; It should be detecting a null-byte and not double zeroes.
You can evade this rule by using 00 in your payload.
alert tcp $EXTERNAL_NET any -> $HOME_NET 4105 (msg:"EXPLOIT CA CAM
log_security overflow attempt"; flow:to_server,established; content:"|FA
F9 00 10|"; isdataat:1025; content:!"00"; within:1021;
reference:bugtraq,14622; reference:cve,2005-2668; classtype:misc-attack;
sid:5316; rev:1;)
Cheers,
-Blake
--
This email and any files transmitted with it are solely intended for the use of
the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete it
and destroy any copies immediately. Demarc Security, Inc. does not accept
liability for the views expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
