[Snort-sigs] problems with recent rule snapshots....
r.fulton at ...575...
Tue May 7 17:08:05 EDT 2002
New rules with no sid:
file snortrules.tar.gz and snortrules-current.tar.gz
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI
ustorekeeper.pl directory traversal attempt"; flags:A+;
uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase;
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (flags: A+; content:
"CONNECT "; nocase; content: "HTTP/"; nocase; msg: "HTTP CONNECT
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (flags: A+; content:
"200 Connection established"; nocase; msg: "HTTP CONNECT access
I assume that all 'offical' rules are supposed to have sids. I have my
own updater which uses sids to keep track of changes I make to rules and
updates new rule sets overnight.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the Snort-sigs