[Snort-sigs] Requesting assistance in writing a snort signature.
michael_anuzis at ...12...
Tue Jan 22 13:35:04 EST 2002
I've used OpenBSD for about two years now & I've always wanted to really
help out the open-source community, but sadly I know very little about
programming. It seems unlikely I'd be able to learn a thing or two then all
the sudden start correcting bugs left by the gurus that create OpenBSD.... &
This is where snort comes in!
Since no advanced coding knowledge is required to understand snort
signatures I would really love to help out in this area. Both in creating
summaries for the existing signatures and writing brand new ones.
I've started my efforts with what seems like a simple project. Simply
capturing the "SIN" beacon SubSeven 2.2 can use server-side to send out
notifications to clients that the server has been installed successfully.
Captured in snort it's available here:
& captured in tcpdump it's available here:
Just looking at it, there are a lot of things I can identify that I could
write a signature about. The TTL always starts the same, the IpLen, DgmLen,
Len, & TOS are always start the same. & the payload starting at 8177 9e9c
on the 2nd line and all the way through 6d6e d9d1 adb9 cd66 a295 on the 3rd
line is always identicle.
I tried to write a signature based on mostly content taken from the third
line of hex... but for some reason it isn't catching the notification & from
the documentation about the content flag I can't understand why not. This is
the rule I'm trying to use:
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "SubSeven 2.2 SIN
Beacon"; ttl: "127"; content: "|6d6e d9d1 adb9 cd66 a
295|"; tos: "0x0";)
If someone could please take a minute or two to e-mail me back personally &
explain what is going wrong & perhaps offer some insight on writing these
snort signatures it would be greatly appretiated.
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
More information about the Snort-sigs