[Snort-sigs] Novice question: Format of snort signatures

Brian bmc at ...95...
Fri Jan 11 05:04:02 EST 2002

According to Magnus Almgren:
> I am quite new to SNORT, and I have been browsing through the signatures
> and the documentation. I have two questions about the "valid" format of
> SNORT sigs.
> The first concern is the snort rule with sid=1382 (exploit.rules):
>   alert tcp any any -> any any 6667 (msg:"EXPLOIT Ettercap IRC parse
>   overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY";
>   nocase; offset:0; dsize:>200;
>   reference:url,www.bugtraq.org/dev/GOBBLES-12.txt;
>   classtype:misc-attack; sid:1382; rev:1;)
> The rule header contains "any any 6667", and I am unsure how to
> interpret this statement. Is "any" repeated twice by mistake?

Yeah, thats a mistake.  the parser reads that as "any any -> any any"
and ignores the port.

> The second question is minor and deals with the case of all
>   keywords. The rules I am concerned about have sid=1246 and sid=1248: (web-frontpage.rules)
>   rad overflow attempt"; uricontent:"/fp30reg.dll"; nocase;
>   dsize:>258; flags:A+; classtype:web-application-attack;
>   reference:arachnids,555;reference:bugtraq,2906; reference:
>   cve,CAN-2001-0341; sid:1246;rev:2;)
>   rad fp30reg.dll access"; uricontent:"/fp30reg.dll"; nocase;
>   flags:A+; classtype:web-application-activity;
>   reference:arachnids,555; reference:bugtraq,2906; reference:
>   cve,CAN-2001-0341; sid:1248; rev:2;)
> All rules except these two have lowercase protocols. Are keywords,
> protocol names, rule actions case insensitive or case sensitive?

for protocol names, its insensitive.  however, I am changing the sigs 
to be consistant.

Unix *is* user-friendly. It is not ignorant-friendly and idiot-friendly.

More information about the Snort-sigs mailing list