[Snort-sigs] creating new sigs [newbie]

Matt Kettler mkettler at ...189...
Sat Apr 5 09:09:06 EST 2003

for  testing use SID's of 1000000 (one million) or higher, which are 
reserved for local use. Make sure that no two rules have the same SID (1 
million and higher will not be in the default ruleset, so you only need to 
make sure you don't collide with your own rules).

Also you should look at the rules in web-iis.rules. There are two generic 
".ida" access signatures in there already. While not code-red specific, 
code red should trigger them.

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; 
uricontent:".ida?"; nocase; reference:arachnids,552; 
classtype:web-application-attack; reference:bugtraq,1065; 
reference:cve,CAN-2000-0071; sid:1243; rev:8;)
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; 
flow:to_server,established; reference:arachnids,552; 
classtype:web-application-activity; reference:cve,CAN-2000-0071; 
reference:bugtraq,1065; sid:1242;  rev:6;)

At 07:33 AM 4/5/2003 -0600, you wrote:
>I am a newbie to snort.
>I want to create a rule to catch CodeRed default.ida attacks.  I have what 
>I think is the right signature defined, but I need more information on the 
>SID.  How do I select an SID?  is it purely random to test with or what?

More information about the Snort-sigs mailing list