Snort mailing list archives
Re: Hey the option Dsize is useful against the buffer overflows ?
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 19 Jan 2004 11:38:10 -0500
At 05:30 AM 1/19/2004, soldier Mx wrote:
i wanna know what is for the option Ddize, i dont know in what example could i use it, or in whta kind of atackk,
It's generally not useful by itself. I's usualy used as a part of a signature.ie: a DNS packet containing the hex codes for 4 consecutive NOP instructions in a row, with a payload length that is over 800 bytes long is quite suspicious.
somebody can show me an example of it , ???
Um, grep the rulset for dsize.. there's hundreds of rules that use it.
I see that works against the buffer overflow atacks but how ??
Well, it MIGHT be used as a part of a signature for an overflow attack, but it's also commonly used in other signatures.
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hey the option Dsize is useful against the buffer overflows ? soldier Mx (Jan 19)
- Re: Hey the option Dsize is useful against the buffer overflows ? Matt Kettler (Jan 19)