[Snort-sigs] Novice question: Format of snort signatures

Magnus Almgren almgren at ...250...
Thu Jan 10 12:20:16 EST 2002


I am quite new to SNORT, and I have been browsing through the signatures
and the documentation. I have two questions about the "valid" format of
SNORT sigs.

The first concern is the snort rule with sid=1382 (exploit.rules):
  alert tcp any any -> any any 6667 (msg:"EXPLOIT Ettercap IRC parse
  overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY";
  nocase; offset:0; dsize:>200;
  reference:url,www.bugtraq.org/dev/GOBBLES-12.txt;
  classtype:misc-attack; sid:1382; rev:1;)

The rule header contains "any any 6667", and I am unsure how to
interpret this statement. Is "any" repeated twice by mistake?

The second question is minor and deals with the case of all
  keywords. The rules I am concerned about have sid=1246 and sid=1248: (web-frontpage.rules)
  alert TCP $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE
  rad overflow attempt"; uricontent:"/fp30reg.dll"; nocase;
  dsize:>258; flags:A+; classtype:web-application-attack;
  reference:arachnids,555;reference:bugtraq,2906; reference:
  cve,CAN-2001-0341; sid:1246;rev:2;)

  alert TCP $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE
  rad fp30reg.dll access"; uricontent:"/fp30reg.dll"; nocase;
  flags:A+; classtype:web-application-activity;
  reference:arachnids,555; reference:bugtraq,2906; reference:
  cve,CAN-2001-0341; sid:1248; rev:2;)

All rules except these two have lowercase protocols. Are keywords,
protocol names, rule actions case insensitive or case sensitive?

Thanks for your help, and I am sorry if I have missed a similar
discussion in an FAQ.

Cheers,
Magnus









More information about the Snort-sigs mailing list