Questions on Sig 31985

[Sam <ccie8944 () yahoo com>]

I am testing the Bash vulnerability with DHCP to a Linux machine. Using dnsmasq, I am setting option 114 in the DHCP 
response.  The dhcp client gets the address ok.  My environment is a vuln Linux host > Cisco router (providing DHCP 
forwarding) > Sensor >  DHCP Server.
 I see sig 31985 looks for UDP ports bootpc and bootps, pattern match () { and pattern match 02 01 06 00.   I was not 
able to get this to fire.
My observations:  The DCHP packets between the forwarding router and DHCP server are exchanged on only the BOOTPS port 
(67).  I don't see the client port (68) on any of the connection events. Also, I'm not sure what  02 01 06 00 is for.  
When I create my own signature with both ports set to bootps and remove the 02 01 06 00 pattern, the signature fires.
I may not have my exploit set up correctly.  I am using the option 114 string found on several web sites.
Clarification/help is appreciated.
Thanks.  Sam

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!