Quote:
Originally Posted by fakie_flip
Why would I want to use hexadecimal?
|
You can catch virus/trojan/exploit packets with hex strings.
I believe you could catch this ssh exploit ..
Code:
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
.. with string like this:
Code:
ngrep -xX '0x90909090909090909090909090909090' port 22
I'm not a expert with this stuff, maybe there is someone that knows more and could confirm this ?