RE: packet payload/signature

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 10/03/01


Message-ID: <BB7FD4FF9E440648A731452E5D341FB065464D@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: 'Zacharias Pigadas' <zpig@space.gr>, focus-ids@securityfocus.com
Subject: RE: packet payload/signature
Date: Wed, 3 Oct 2001 11:31:21 -0400 

What type of "payload" information are you trying to gather? And for what
services?

Most of the snort rules have fairly specific payload information in the
content field. In addition, as far as web exploits are concerned, the
payload is self-explanatory by looking at the IIS logs, or any number of
analytical papers written about the scans.

Keith

-----Original Message-----
From: Zacharias Pigadas [mailto:zpig@space.gr]
Sent: Wednesday, October 03, 2001 2:36 AM
To: focus-ids@securityfocus.com
Subject: packet payload/signature

Hello everyone,

I am trying to write some customised IDS rules taking under consideration
the packet payload - pretty much like in snort rules. my problem is that no
matter where I looked I ended up with a description/exploit of the attack
and/or vulnerability but not with the signature in the payload I was looking
for. I would appreciate some websites that give away such information
(www.cert.org, cve, bugtrack etc. either don't or I am insulting my
intelligence)

Thank you in advance,

Zach

ps. I know that executing an exploit would provide me with the packet
payload but that is what I am trying to avoid...