[Snort-sigs] creating new sigs [newbie]

Chris Hare, CISSP, CISA chare at ...1435...
Sat Apr 5 09:39:04 EST 2003

Thanks -- unfortunately, the webserver sees them, but snort isn't trigger an
alarm.  Might be there is something else wrong.


----- Original Message -----
From: "Matt Kettler" <mkettler at ...189...>
To: "Chris Hare, CISSP, CISA" <chare at ...1435...>;
<snort-sigs at lists.sourceforge.net>
Sent: Saturday, April 05, 2003 11:07 AM
Subject: Re: [Snort-sigs] creating new sigs [newbie]

> for  testing use SID's of 1000000 (one million) or higher, which are
> reserved for local use. Make sure that no two rules have the same SID (1
> million and higher will not be in the default ruleset, so you only need to
> make sure you don't collide with your own rules).
> Also you should look at the rules in web-iis.rules. There are two generic
> ".ida" access signatures in there already. While not code-red specific,
> code red should trigger them.
> web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established;
> uricontent:".ida?"; nocase; reference:arachnids,552;
> classtype:web-application-attack; reference:bugtraq,1065;
> reference:cve,CAN-2000-0071; sid:1243; rev:8;)
> web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase;
> flow:to_server,established; reference:arachnids,552;
> classtype:web-application-activity; reference:cve,CAN-2000-0071;
> reference:bugtraq,1065; sid:1242;  rev:6;)
> At 07:33 AM 4/5/2003 -0600, you wrote:
> >I am a newbie to snort.
> >
> >I want to create a rule to catch CodeRed default.ida attacks.  I have
> >I think is the right signature defined, but I need more information on
> >SID.  How do I select an SID?  is it purely random to test with or what?
> >
> >Thanks
> >
> >Chris

More information about the Snort-sigs mailing list