[Snort-sigs] Signature Timestamp?

JP Vossen vossenjp at ...1431...
Fri Aug 8 21:55:05 EDT 2003


> Date: Fri, 08 Aug 2003 08:19:12 -0500
> From: "Dusty Hall" <halljer at ...1195...>
> To: <mkettler at ...189...>,<snort-sigs at lists.sourceforge.net>
> Subject: Re: [Snort-sigs] Signature Timestamp?
>
> Matt,
>
>   I guess what I'm trying to get to is this:  Say I'm looking through
> some detected alerts on one of my sniffers and I see a ton of a
> particular alert... How do I know when this rule/alert was added to the
> rule sets (I download new rules each night).  I'm not suggesting adding
> Dates to each rule, although that might work, I've just noticed everyone
> working on rule documentation and none of this documentation has a date
> associated with when it was added to the rule set.  I know you could go
> and look at the CVE.. etc. but that doesn't tell you when the rule was
> added.  Its not a huge problem, it just seems like there should be some
> type of Date associated with each alert.  That is just my $.02 :).

Now THAT is an interesting question!  I can think of one method that will
work, though the ffort involved may vary.  Go look it up in Snort's CVS.

For example, you want to know when NetBIOS rule SID:2101 was created.

Go to http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/rules/ and
find NetBIOS rules (http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/rules/netbios.rules).
Use the find function of your browser (often CTRL-F) to find the SID in that
page.  It may be listed more than once, or it may not be listed at
all--depending on how many updates there have been to the rule, and how
good the committer's comments were.

If you REALLY need to know, start at the bottom and view each revision until
you find it.  This could probably be automated with wget and grep.

You can find out when documentation was added by navigating to
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/doc/signatures/,
which will take a LONG time to open.  But you can then easily find the docs
for the SID, if there are any.

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."





More information about the Snort-sigs mailing list