[Snort-sigs] Sids 659 and 660 (again)

John Berkers berjo at ...66...
Fri Aug 31 22:15:18 EDT 2001

Despite arachnids no longer being maintained, I believe that the reference
info there is still relevant.  If there were some replacement source of
reference information that we could refer to, even for things as innocuous
as a ping, that could give us an alternative.  CVE references are of course
still essential, since these provide additional references to CERT, vendor
and other advisories (pity Max didn't include CVE references in his rules).

At this stage I'm not offering to try and build a site such as suggested
above, but I am wondering if there is a site that offers such  a service
(other than Whitehats).  Obviously quite a bit of work would need to go into
it to get it up and running, and then there is the maintenance of it.

I don't know what anyone else thinks of the above suggestion, so let me know
what you think.


John Berkers                                       ICQ: 112912
Network Services                            Hansen Corporation
john.berkers at ...78...               berjo at ...66...

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of
dhenderson at ...87...
Sent: Friday, 31 August 2001 7:49
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Sids 659 and 660 (again)

This discussion seems to have triggered some alerts. Oops... I was
careful not to use the exact rule content in the body of my original
posting; it seems I wasn't so careful in my last posting (which was my
suggested fix).

Regards to Brian Caswell's comment:

>> "Uh... there is nothing different except the name.
>> arachnids is no longer being maintained.
>> Adding IDS32/ increases the space needed by 5 characters."

I would argue that modifying the name from the current to
smtp-expn-root is at least a good idea, to prevent my reporting setup
from triggering the rules any more.

I have no problem excluding the ids# from the rule name (if arachnids
is not being maintained). But if that is the case, why do the rules
include any arachnids references at all? This is adding more than 5

That said, here is my suggseted rule changes  - with the content
mangled with Xs to prevent another set of alerts :)

alert tcp $EXTERNAL_NET any -> $SMTP 25
(msg:"smtp-expn-decode";flags: A+; content:"expn XXcode"; nocase;
reference:arachnids,32; classtype:attempted-recon; sid:659; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP 25
(msg:"smtp-expn-root";flags: A+; content:"expn Xoot"; nocase;
reference:arachnids,31; classtype:attempted-recon; sid:660; rev:1;)


Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list