[Snort-devel] Signature Quality Rules
bmc at ...227...
Thu Feb 22 10:00:46 EST 2001
James Hoagland wrote:
> >Well... I have been doing quite a bit of work validating the snort rules
> >in the current database, and I have a broad decision question for yall.
> >Most of our WEB-CGI rules just list the program, such as
> >"/cgi-bin/count.cgi" and do not include a signature for the actual
> >I prepose that we move all of these "program names" into one rule.
> A 2nd note.
> Have you considered what impact this change would have on the ability
> to include the reference information in the rule? For example,
> "reference:arachnids,251;" being able to be included in the rule.
> This information is being used by spo_idmef and is increasingly being
> included in the rules (sometimes instead of the old ugly IDSxxx info
> in the msg field.
Yeah, that hit me last night. I guess what I am looking for is a deeper
snort rule configuration. something akin to
alert tcp $EXTERNAL any -> $HOME_NET 80 ( msg:"WEB "; flags:A+; \
[ msg:"PHF attempt"; content:"/cgi-bin/phf?Qalias=x%0a";],
[ msg:"PHF access"; content:"/cgi-bin/phf"; ]
More information about the Snort-devel