[Snort-sigs] Traffic Identifiers - Multimedia

Robert Wagner rwagner at ...447...
Tue Apr 2 10:37:43 EST 2002


I wanted to publish a signature that didn't really tie to an attack, but
helps identify traffic on the network.  This signature looks for the Net
Show call within streaming video on port 1744.  Writting a signature that is
setoff on all of port 1755 traffic will quickly tie up your resources.  

To test this, visit http://broadcast.yahoo.com/home.html and select the
broadcast.yahoo.com link under the media on demand.  


0x0060: F0 F0 0B 00 04 00 1C 00 03 00 4E 00 53 00 50 00  ..........N.S.P.
0x0070: 6C 00 61 00 79 00 65 00 72 00 2F 00 34 00 2E 00  l.a.y.e.r./.4...


alert tcp $EXTERNAL_NET 1023: -> $HOME_NET 1755 (msg:"Multimedia - Microsoft
NetShow start"; content:"|4E 00 53 00 50 00 6C 00 61 00 79 00 65 00 72|";
nocase; tag: host,300,packet,src;)

Can someone tell me how to submit a rule that doesn't have a SID?  Can
someone from snort assign the classtype and SID?




More information about the Snort-sigs mailing list