RE: packet payload/signature

From: McCammon, Keith (
Date: 10/03/01

Message-ID: <>
From: "McCammon, Keith" <>
To: 'Zacharias Pigadas' <>,
Subject: RE: packet payload/signature
Date: Wed, 3 Oct 2001 11:31:21 -0400 

What type of "payload" information are you trying to gather? And for what

Most of the snort rules have fairly specific payload information in the
content field. In addition, as far as web exploits are concerned, the
payload is self-explanatory by looking at the IIS logs, or any number of
analytical papers written about the scans.


-----Original Message-----
From: Zacharias Pigadas []
Sent: Wednesday, October 03, 2001 2:36 AM
Subject: packet payload/signature

Hello everyone,

I am trying to write some customised IDS rules taking under consideration
the packet payload - pretty much like in snort rules. my problem is that no
matter where I looked I ended up with a description/exploit of the attack
and/or vulnerability but not with the signature in the payload I was looking
for. I would appreciate some websites that give away such information
(, cve, bugtrack etc. either don't or I am insulting my

Thank you in advance,


ps. I know that executing an exploit would provide me with the packet
payload but that is what I am trying to avoid...