[Snort-devel] Signature Quality Rules

James Hoagland hoagland at ...60...
Wed Feb 21 19:51:12 EST 2001


At 7:30 PM +0000 2/21/01, Brian Caswell wrote:
...
>In the file "flawed-cgi" we include a list of every flawed CGI that we
>know of.In order to correctly log all of the rules, I propose a
>modification to content-list, so that it changes msg to include what it
>saw.  so that if content-list saw "/cgi-bin/" and "count.cgi" then it
>would change msg to be "WEB-CGI access /cgi-bin/count.cgi".  This
>shouldn't be a difficult modification, and it would help the
>administrator keep their rulebase up-to-date.

FYI, changing the msg in this way would break part of SnortSnarf, the 
including of the rules that produce a particular snort message on the 
page for that message (enabled with the -rule* options).   What it 
does now is go through the rules files looking for an exact match to 
a snort message in the msg field of rules.  With extra stuff at the 
end of the snort message, this would no longer work.

If we decide to do this, what would be nicest for SnortSnarf is if a 
certain reserved delineator such as a colon is produced in the snort 
message.  For example instead of producing "WEB-CGI access 
/cgi-bin/count.cgi" as suggested above, it would produce "WEB-CGI 
access: /cgi-bin/count.cgi".  That way SnortSnarf could drop the text 
after the ':' when looking for the rule that generated it.

I'd rather not have to go digging through the content list files.  A 
number of headaches there, including that SnortSnarf presently would 
not even know what directory to look in.  (Maybe, I don't even know 
where those are located.)

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-devel mailing list