[Snort-sigs] MP3 Rules

Brian Caswell bmc at ...8...
Fri Oct 13 16:48:43 EDT 2000


"F.M. Taylor" wrote:
> Here is my current set of MP3 rules.  They seem to work well with minimal
> false alerts, but I have only run limited tests.  This used to be much
> more specific, but the sheer bulk of the various permutations proved to be
> prohibitive.  When I dig up the Larger set (seem to have misplaced it), I
> will post it.
>
> alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FA 00|";depth: 3; )
> alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FA 01|";depth: 3; )
> alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FA 02|";depth: 3; )

[snip]

> alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FB 00|";depth: 3; )
> alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FB 01|";depth: 3; )
> alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FB 02|";depth: 3; )

Looking for |FF FA| or |FF FB| would be quite a bit faster, and would
not raise the number
of false alarms very much.  The speed bonus gained by having fewer rules
would outweigh 
the additional false alarms in my book.

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-sigs mailing list