Rule: 

--
Sid: 641

--
Summary: 
This event is generated when a buffer overflow attack is attempted against a target machine.

--
Impact: 
Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.


-- 
Detailed Information: 
This rule tracks the bit combination which may occur in network packets aimed at overflowing Digital UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code ean indicator to upcoming
attacks, an attacker may attempt to determine what ports are listening
on a given machine by sending a TCP packet with all of its control
bits "lit up", hence the name XMAS scan -- its "lit up like a
christmas tree."
__
Ease of Attack:
Trivial.  Many of the popular portscanners/vulnerability testers, most
notably nmap, allow anyone to inititiate an XMAS scan.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Determine what information an attacker may have gleaned from this
attack.  Would your ports show as open or closed?  Consider
implementing a stateful firewall on the victim machine, or at ingress
points on your network.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Jon Hart <warchild@spoofed.org>

-- 
Additional References:
http://rr.sans.org/firewall/egress.php

--
                  ./usr/share/doc/snort-doc/signatures/641.txt                                                        0000644 0000000 0000000 00000003346 12010332771 017542  0                                                                        