[Snort-sigs] sid 1048, 284, 286, 666, and 661 Rule nits

Brian bmc at ...95...
Sun Oct 28 11:46:06 EST 2001


According to William Stearns:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Netscape
> Enterprise directory listing attempt"; content:"INDEX " offset:0; depth:6;
> flags:A+; reference:cve,CAN-2001-0250; reference:bugtraq,2285; classtype
> :attempted-recon; sid:1048; rev:2;)
> 
> 	there's a missing semicolon after "content:"INDEX "

Was fixed a long time ago.

> snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 109
> (msg:"EXPLOIT pop2 x86 linux overflow";flags: A+; content:"|eb2c 5b89 d980
> c106 39d9 7c07 800 1|"; classtype:attempted-admin; sid:284; rev:1;)
>
> 	The hex content uses mispaired hex digits such as 800 1 ; perhaps
> 80 01 would be more common usage?

Agreed.  Fixed.

> snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110
> (msg:"EXPLOIT pop3 x86 bsd overflow";flags: A+; content:"|5e0 e31c 0b03
> b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:1;)

what is wrong with this rule?

> 	One final request, if I may.  sids 666 and 661 have quotes (' or
> `) in the content field.  Would you consider putting the quote characters
> in hex?  I have a particular tool that's trying to read the snort rules
> and is having trouble with those.  :-(

Hex makes things harder to read, so unless the parser requires it, I
would prefer to avoid hex for human readability.

-- 
Living is hazardous to your health.




More information about the Snort-sigs mailing list