[Snort-sigs] Requesting assistance in writing a snort signature.

Michael Anuzis michael_anuzis at ...12...
Tue Jan 22 13:35:04 EST 2002

I've used OpenBSD for about two years now & I've always wanted to really 
help out the open-source community, but sadly I know very little about 
programming. It seems unlikely I'd be able to learn a thing or two then all 
the sudden start correcting bugs left by the gurus that create OpenBSD.... & 
This is where snort comes in!

Since no advanced coding knowledge is required to understand snort 
signatures I would really love to help out in this area. Both in creating 
summaries for the existing signatures and writing brand new ones.

I've started my efforts with what seems like a simple project. Simply 
capturing the "SIN" beacon SubSeven 2.2 can use server-side to send out 
notifications to clients that the server has been installed successfully.

Captured in snort it's available here: 
& captured in tcpdump it's available here:

Just looking at it, there are a lot of things I can identify that I could 
write a signature about. The TTL always starts the same, the IpLen, DgmLen, 
Len, & TOS are always start the same. & the payload starting at 8177 9e9c  
on the 2nd line and all the way through 6d6e d9d1 adb9 cd66 a295 on the 3rd 
line is always identicle.

I tried to write a signature based on mostly content taken from the third 
line of hex... but for some reason it isn't catching the notification & from 
the documentation about the content flag I can't understand why not. This is 
the rule I'm trying to use:

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "SubSeven 2.2 SIN 
Beacon"; ttl: "127"; content: "|6d6e d9d1 adb9 cd66 a
295|"; tos: "0x0";)

If someone could please take a minute or two to e-mail me back personally & 
explain what is going wrong & perhaps offer some insight on writing these 
snort signatures it would be greatly appretiated.

                                    Michael Anuzis

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the Snort-sigs mailing list