[Snort-sigs] Sids 659 and 660 (again)

dhenderson at ...87... dhenderson at ...87...
Thu Aug 30 17:49:21 EDT 2001


This discussion seems to have triggered some alerts. Oops... I was 
careful not to use the exact rule content in the body of my original 
posting; it seems I wasn't so careful in my last posting (which was my 
suggested fix).

Regards to Brian Caswell's comment:

>> "Uh... there is nothing different except the name.  
>> arachnids is no longer being maintained.  
>> Adding IDS32/ increases the space needed by 5 characters."

I would argue that modifying the name from the current to 
smtp-expn-root is at least a good idea, to prevent my reporting setup 
from triggering the rules any more.

I have no problem excluding the ids# from the rule name (if arachnids 
is not being maintained). But if that is the case, why do the rules 
include any arachnids references at all? This is adding more than 5 
characters...

That said, here is my suggseted rule changes  - with the content 
mangled with Xs to prevent another set of alerts :)

alert tcp $EXTERNAL_NET any -> $SMTP 25 
(msg:"smtp-expn-decode";flags: A+; content:"expn XXcode"; nocase; 
reference:arachnids,32; classtype:attempted-recon; sid:659; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP 25 
(msg:"smtp-expn-root";flags: A+; content:"expn Xoot"; nocase; 
reference:arachnids,31; classtype:attempted-recon; sid:660; rev:1;)

David





More information about the Snort-sigs mailing list