[Snort-devel] Signature Quality Rules

Brian Caswell bmc at ...227...
Thu Feb 22 10:00:46 EST 2001


James Hoagland wrote:
> 
> >Well... I have been doing quite a bit of work validating the snort rules
> >in the current database, and I have a broad decision question for yall.
> >
> >Most of our WEB-CGI rules just list the program, such as
> >"/cgi-bin/count.cgi" and do not include a signature for the actual
> >attempt.
> >
> >I prepose that we move all of these "program names" into one rule.
> 
> Brian,
> 
> A 2nd note.
> 
> Have you considered what impact this change would have on the ability
> to include the reference information in the rule?  For example,
> "reference:arachnids,251;" being able to be included in the rule.
> This information is being used by spo_idmef and is increasingly being
> included in the rules (sometimes instead of the old ugly IDSxxx info
> in the msg field.

Yeah, that hit me last night.  I guess what I am looking for is a deeper
snort rule configuration.  something akin to

alert tcp $EXTERNAL any -> $HOME_NET 80 ( msg:"WEB "; flags:A+; \
   [ msg:"PHF attempt"; content:"/cgi-bin/phf?Qalias=x%0a";], 
   [ msg:"PHF access"; content:"/cgi-bin/phf"; ]
   nocase; reference:cve,CVE-1999-0067;)



More information about the Snort-devel mailing list