Re: Hey the option Dsize is useful against the buffer overflows ?

[Matt Kettler <mkettler () evi-inc com>]

At 05:30 AM 1/19/2004, soldier Mx wrote:
> i wanna know what is for the option Ddize, i dont know
> in what example could i use it, or in whta kind of
> atackk,

It's generally not useful by itself. I's usualy used as a part of a signature.

ie: a DNS packet containing the hex codes for 4 consecutive NOP 
instructions in a row, with a payload length that is over 800 bytes long is 
quite suspicious.

> somebody can show me an example of it , ???

Um, grep the rulset for dsize.. there's hundreds of rules that use it.



>  I see that works against the buffer overflow atacks
> but how ??

Well, it MIGHT be used as a part of a signature for an overflow attack, but 
it's also commonly used in other signatures.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users