[Snort-sigs] snort-rules STABLE update @ Fri Feb 7 17:33:38 2003

Belthrop, Tony tony.belthrop at ...1303...
Sat Feb 15 05:55:11 EST 2003


Why is it that every time I try to add a sig that snort won't run? I
crete the xxxx.rules file, and then edit the snort.conf file to add the
# include $RULE_PATH/xxxx.rules....  I am missing a step here? The snort
will not start on the sensors unless I go back and comment the new
include line in the snort.conf file.

Thanks

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Monday, February 10, 2003 10:07 AM
To: Michael.Advani at ...1221...
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] snort-rules STABLE update @ Fri Feb 7 17:33:38
2003


On Mon, Feb 10, 2003 at 05:12:16PM +0800, Michael.Advani at ...1221...
wrote:
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer 
> Worm
> Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;

> sid:9998; rev:1;)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm 
> propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 
> 04 9B 81 F1 01|"; content:"sock"; content:"send"; 
> reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311;

> reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer 
> Worm Activity"; content: "dllhel32hkernQhounthickChGetTf"; 
> classtype:bad-unknown;)


> How come there are so many versions ? Though the header part is 
> identical, the 'meat' is totally different !

Because one is an "official" rule, the others are not.  (sid:2003 is the
official rule, in case you didn't notice...)

-brian


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list