[Snort-sigs] RE: Snort-sigs digest, Vol 1 #667 - 4 msgs

SG-Chew Poh Chang chew.pohchang at ...1742...
Thu Aug 7 20:44:02 EDT 2003


-----Original Message-----
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net]
Sent: Friday, August 08, 2003 11:30 AM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #667 - 4 msgs

Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."

Today's Topics:

   1. Re: Snort rules am attaching the files (Nigel Houghton)
   2. AIM Express sigs (Alan Kloster)
   3. Signature Timestamp? (Dusty Hall)
   4. Re: Signature Timestamp? (Matt Kettler)


Message: 1
Date: Wed, 6 Aug 2003 21:42:49 -0400 (EDT)
From: Nigel Houghton <nigel at ...435...>
To: Neal Timm <nealtimm at ...1224...>
  "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] Snort rules am attaching the files

Around Jul 30 Neal Timm said:

NT :How many does it take to get a t-shirt?
NT :

20, non-duplicated, good docs.

Nigel Houghton       Security Engineer        Sourcefire Inc.

"I have read of a place where humans do battle in a ring of Jell-O."
Aug 6


Message: 2
Date: Thu, 7 Aug 2003 08:30:54 -0500
From: "Alan Kloster" <akloster at ...1741...>
To: <snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] AIM Express sigs

We also use snort to log instant messages to a separate database for =
posterity.  In case anyone else is doing this, here are two sigs to =
catch AIM Express messages.  AIM Express is the web based version of AOL =
Instant Messager.  These have worked quite well.

## Detect AIM Express sent messages
internal tcp any any -> any 80 (msg:"CHAT AIM Express send message"; =
3 65 6e 64 5f 69 6d|"; classtype:policy-violation; priority:3; rev:1;)
## Detect AIM Express received messages
internal tcp $EXTERNAL_NET 80 -> any any (msg:"CHAT AIM Express receive =
; content:"|5f 49 4e 3a|"; classtype:policy-violation; priority:3; =

Alan Kloster


Message: 3
Date: Thu, 07 Aug 2003 09:08:49 -0500
From: "Dusty Hall" <halljer at ...1195...>
To: <snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] Signature Timestamp?

This is probably a stupid question but here goes...  why doesn't anyone
Timestamp their Signatures?




Message: 4
Date: Thu, 07 Aug 2003 17:21:27 -0400
To: "Dusty Hall" <halljer at ...1195...>, <snort-sigs at lists.sourceforge.net>
From: Matt Kettler <mkettler at ...189...>
Subject: Re: [Snort-sigs] Signature Timestamp?

At 09:08 AM 8/7/2003 -0500, Dusty Hall wrote:
>This is probably a stupid question but here goes...  why doesn't anyone
>Timestamp their Signatures?

I guess I can show my ignorance and state that I don't timestamp my 
signatures (and I do have my own custom snort rules), because I did not 
know that snort had such a feature.

So what do you mean by timestamping a signature, and can you give an


Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

End of Snort-sigs Digest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030807/c8f3d94e/attachment.html>

More information about the Snort-sigs mailing list