RE: packet payload/signatureFrom: McCammon, Keith (Keith.McCammon@eadvancemed.com)
- Previous message: DeBerry, Casey: "Solaris/NT Packet Sniifer driver"
- Maybe in reply to: Zacharias Pigadas: "packet payload/signature"
- Next in thread: Jose Nazario: "Re: packet payload/signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <BB7FD4FF9E440648A731452E5D341FB065464D@hitsexchange01.advance-med.com> From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: 'Zacharias Pigadas' <firstname.lastname@example.org>, email@example.com Subject: RE: packet payload/signature Date: Wed, 3 Oct 2001 11:31:21 -0400
What type of "payload" information are you trying to gather? And for what
Most of the snort rules have fairly specific payload information in the
content field. In addition, as far as web exploits are concerned, the
payload is self-explanatory by looking at the IIS logs, or any number of
analytical papers written about the scans.
I am trying to write some customised IDS rules taking under consideration
the packet payload - pretty much like in snort rules. my problem is that no
matter where I looked I ended up with a description/exploit of the attack
and/or vulnerability but not with the signature in the payload I was looking
for. I would appreciate some websites that give away such information
(www.cert.org, cve, bugtrack etc. either don't or I am insulting my
Thank you in advance,
ps. I know that executing an exploit would provide me with the packet
payload but that is what I am trying to avoid...