Snort mailing list archives
Questions on Sig 31985
From: Sam <ccie8944 () yahoo com>
Date: Sat, 11 Oct 2014 15:07:05 +0000 (UTC)
I am testing the Bash vulnerability with DHCP to a Linux machine. Using dnsmasq, I am setting option 114 in the DHCP response. The dhcp client gets the address ok. My environment is a vuln Linux host > Cisco router (providing DHCP forwarding) > Sensor > DHCP Server. I see sig 31985 looks for UDP ports bootpc and bootps, pattern match () { and pattern match 02 01 06 00. I was not able to get this to fire. My observations: The DCHP packets between the forwarding router and DHCP server are exchanged on only the BOOTPS port (67). I don't see the client port (68) on any of the connection events. Also, I'm not sure what 02 01 06 00 is for. When I create my own signature with both ports set to bootps and remove the 02 01 06 00 pattern, the signature fires. I may not have my exploit set up correctly. I am using the option 114 string found on several web sites. Clarification/help is appreciated. Thanks. Sam
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://p.sf.net/sfu/Zoho
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Questions on Sig 31985 Sam (Oct 11)