[Snort-sigs] sid 1048, 284, 286, 666, and 661 Rule nits
bmc at ...95...
Sun Oct 28 11:46:06 EST 2001
According to William Stearns:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Netscape
> Enterprise directory listing attempt"; content:"INDEX " offset:0; depth:6;
> flags:A+; reference:cve,CAN-2001-0250; reference:bugtraq,2285; classtype
> :attempted-recon; sid:1048; rev:2;)
> there's a missing semicolon after "content:"INDEX "
Was fixed a long time ago.
> snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 109
> (msg:"EXPLOIT pop2 x86 linux overflow";flags: A+; content:"|eb2c 5b89 d980
> c106 39d9 7c07 800 1|"; classtype:attempted-admin; sid:284; rev:1;)
> The hex content uses mispaired hex digits such as 800 1 ; perhaps
> 80 01 would be more common usage?
> snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110
> (msg:"EXPLOIT pop3 x86 bsd overflow";flags: A+; content:"|5e0 e31c 0b03
> b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:1;)
what is wrong with this rule?
> One final request, if I may. sids 666 and 661 have quotes (' or
> `) in the content field. Would you consider putting the quote characters
> in hex? I have a particular tool that's trying to read the snort rules
> and is having trouble with those. :-(
Hex makes things harder to read, so unless the parser requires it, I
would prefer to avoid hex for human readability.
Living is hazardous to your health.
More information about the Snort-sigs