Hi lokesh,
maybe good starting with this :
alert udp any any -> any 67 (msg:"DHCP Service byte-code sequence exploit
detected"; content:"|01 48 23 87 AB 1F FA 2C 9A 00 00 00 00 21 FF FF|";
classtype:shellcode-detect; sid:999999; rev:1;)
Finding your byte-code sequence on dhcp request is easy (byte-code sequence is
long and reduce FP), and finding invalid input HLen on dhcp request is very
hard.
Best Regards
Rmkml
On Wed, 29 Aug 2007, lokesh sharma wrote:
Date: Wed, 29 Aug 2007 18:42:55 +1000 (EST)
From: lokesh sharma <lokeshpunjabi_1984@yahoo.com.au>
To: Snort-users@lists.sourceforge.net
Subject: [Snort-users] snort rule
can you help me
to write rules regarding DHCP
The rule is
"detect all attempts to exploit this vulnerability. In particular, it should
detect attempts by any computer making DHCP requests where hte Hlen
field has an invalid value, and where the following byte-code sequence is
found anywhere in the Sname or File fields.
The byte-code sequence should not be matched in any other field of the
request. The byte-code sequence (in hexadecimal) is:
01 48 23 87 AB 1F FA 2C 9A 00 00 00 00 21 FF FF
on detecction of such attack attempts, your rule should generate an alert
with the message:
"DHCP Service invalid input HLen attack detected".
thanx
---------------------------------
Get the World's number 1 free email service. Find out more.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
