The snort signatures released by GOBBLES Labs posted to their website at www.bugtraq.org/misc/GOBBLES.rules to catch this exploit are not valid. Not only does the string "GOBBLES IDENTIFY" never showup in the payload sent by the exploit, but if it did, that is an extremely simple string to evade. Below is a correctly working (and "official" :P) snort signature. alert tcp any any -> any any 6667 (msg:"EXPLOIT Ettercap IRC parse overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:1;) -brian
This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 17:37:53 PST