[Snort-sigs] problems with recent rule snapshots....

Russell Fulton r.fulton at ...575...
Tue May 7 17:08:05 EDT 2002


New rules with no sid:

file snortrules.tar.gz  and snortrules-current.tar.gz

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI
ustorekeeper.pl directory traversal attempt";  flags:A+;
uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase;
classtype:web-application-attack;) 

snortrules-current.tar.gz

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (flags: A+; content:
"CONNECT "; nocase; content: "HTTP/"; nocase; msg: "HTTP CONNECT
attempt";)

alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (flags: A+; content:
"200 Connection established"; nocase; msg: "HTTP CONNECT access
successful";)

I assume that all 'offical' rules are supposed to have sids.  I have my
own updater which uses sids to keep track of changes I make to rules and
updates new rule sets overnight.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-sigs mailing list