[Snort-sigs] Netbios rules are case sensitive?

Jason Haar Jason.Haar at ...651...
Wed Apr 30 15:10:03 EDT 2003


I've just noticed that the Nimda rules are case sensitive - should that be
the case?

e.g.

alert tcp any any -> any 139 (msg:"NETBIOS nimda .eml";
content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml;
sid:1293; rev:8;)


That'll catch "test.EML", but it won't catch "test.eml|test.emL" - even
though they are all ".eml" according to Windows applications...

Shouldn't "nocase" be in them?

Also, there are no port 445 versions of these rules - shouldn't there be?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list