gamancio at ...2692... - Bayesian Filter detected spam - [Snort-users] Re: [Snort-devel] RE: [Snort-sigs] First attempt at writing a sig

Martin Roesch roesch at ...402...
Thu Jan 6 06:30:18 EST 2005


Hi Joel,

That's exactly why, it's a lot faster and more compact to just use nice 
little 32-bit ints and do all the string handling "heavy lifting" as a 
post process.  Unified was designed with one primary driver in mind: 
speed.  It sucks to have to manage the sid-msg.map, but it's there for 
performance reasons...

I suppose if I was really cool I could have snort auto-generate the 
sid-msg.map file at start time based on the loaded rule set, but I'm 
not that cool (at least not this week)...

      -Marty

P.S. What letters of the alphabet do we have left to use for this 
one...?


On Dec 17, 2004, at 3:30 PM, Esler, Joel - Contractor wrote:

> Sid-msg.map is only relevant if you are using barnyard.  Why can't we
> get rid of sid-msg.map and have snort log the event name in unified?
> For speed I am assuming...
>
> Joel
>
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Lance Boon
> Sent: Friday, December 17, 2004 3:21 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] First attempt at writing a sig
>
>
> Thanks for pointing that out here's the updated rule
>
> alert udp any any -> any any (msg:"Netop Remote Control Usage";
> content:"|554b30303736305337473130|"; reference:url,www.netop.com;
> classtype:policy-violation; sid:2000000; rev:2;)
>
> This caught my traffic going to my remote subnets. I tried increasing
> the revision # as well but to no avail so I changed the sid to 2000001
>
>
> alert udp any any -> any any (msg:"Netop Remote Control Usage";
> content:"|554b30303736305337473130|"; reference:url,www.netop.com;
> classtype:policy-violation; sid:2000001; rev:1;)
>
> Now it's showing up in Acid correctly
>
> -----Original Message-----
> From: Matt Jonkman [mailto:matt at ...2688...]
> Sent: Friday, December 17, 2004 2:10 PM
> To: Lance Boon
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] First attempt at writing a sig
>
> Not a bad run for a first sig. Thanks for posting it.
>
> Why did you go home-home net? Why not home-any? Or even any-any? I'm 
> not
>
> that familiar with the tool, but I'd think the most interesting traffic
> would be someone from the outside connecting to a local box.
>
> As far as why it doesn't show right in acid, not sure. It is crafted
> correctly. Try increasing the rev number and hitting it again. I wonder
> if maybe the first time you had a hit the msg was empty, in which case
> it won't take the new msg until the rev # increases.
>
> I'll put this up on bleeding snort for more testing after we sort out
> the reasons for the home-home.
>
> Matt
>
> Lance Boon wrote:
>
>> This is my first attempt at writing a sig and wondered if anybody had
>> any pointers. I got a pcap of a netop session to 2 different systems,
>> ran it through snort and noticed that the content was the same on in
> one
>> particular packet. So I wrote a rule for it, I have this working on my
>> network right now and haven't had any false positives yet. The only
>> thing that is bugging me and I'm sure that it's something that I'm
>> missing is that when an alert hits it doesn't read "Netop Remote
> Control
>> Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
>>
>> alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
>> Usage"; content:"|554b30303736305337473130|";
>> reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
>> rev:1)
>>
>>
>
> -- 
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-devel mailing list