[Snort-sigs] sid 1048, 284, 286, 666, and 661 Rule nits

William Stearns wstearns at ...157...
Wed Oct 24 11:42:07 EDT 2001

Good day, all,
	Thanks for a great ruleset!

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Netscape
Enterprise directory listing attempt"; content:"INDEX " offset:0; depth:6;
flags:A+; reference:cve,CAN-2001-0250; reference:bugtraq,2285; classtype
:attempted-recon; sid:1048; rev:2;)

	there's a missing semicolon after "content:"INDEX "

	Also, in
snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 109
(msg:"EXPLOIT pop2 x86 linux overflow";flags: A+; content:"|eb2c 5b89 d980
c106 39d9 7c07 800 1|"; classtype:attempted-admin; sid:284; rev:1;)
snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110
(msg:"EXPLOIT pop3 x86 bsd overflow";flags: A+; content:"|5e0 e31c 0b03
b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:1;)

	The hex content uses mispaired hex digits such as 800 1 ; perhaps
80 01 would be more common usage?

	One final request, if I may.  sids 666 and 661 have quotes (' or
`) in the content field.  Would you consider putting the quote characters
in hex?  I have a particular tool that's trying to read the snort rules
and is having trouble with those.  :-(
	No big thing, just thought I'd ask.
	- Bill

	Things you Do Not Want To See On IRC: your husband commenting on the
S390 port and in the next comment, announcing that he expects a new toy.
He tells me the two are unrelated. I do hope so.
	- Telsa Gwynn, Alan Cox' wife
William Stearns (wstearns at ...157...).  Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at:                http://www.pobox.com/~wstearns
LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com

More information about the Snort-sigs mailing list