[Snort-devel] Signature Quality Rules
hoagland at ...60...
Wed Feb 21 19:51:12 EST 2001
At 7:30 PM +0000 2/21/01, Brian Caswell wrote:
>In the file "flawed-cgi" we include a list of every flawed CGI that we
>know of.In order to correctly log all of the rules, I propose a
>modification to content-list, so that it changes msg to include what it
>saw. so that if content-list saw "/cgi-bin/" and "count.cgi" then it
>would change msg to be "WEB-CGI access /cgi-bin/count.cgi". This
>shouldn't be a difficult modification, and it would help the
>administrator keep their rulebase up-to-date.
FYI, changing the msg in this way would break part of SnortSnarf, the
including of the rules that produce a particular snort message on the
page for that message (enabled with the -rule* options). What it
does now is go through the rules files looking for an exact match to
a snort message in the msg field of rules. With extra stuff at the
end of the snort message, this would no longer work.
If we decide to do this, what would be nicest for SnortSnarf is if a
certain reserved delineator such as a colon is produced in the snort
message. For example instead of producing "WEB-CGI access
/cgi-bin/count.cgi" as suggested above, it would produce "WEB-CGI
access: /cgi-bin/count.cgi". That way SnortSnarf could drop the text
after the ':' when looking for the rule that generated it.
I'd rather not have to go digging through the content list files. A
number of headaches there, including that SnortSnarf presently would
not even know what directory to look in. (Maybe, I don't even know
where those are located.)
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...60... *|
|* http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (707) 445-4222 *|
More information about the Snort-devel