[Snort-sigs] Russell Fulton's " patch or sig changes

Jon warchild at ...288...
Sat Jan 11 15:17:02 EST 2003


Greetings,

As Russell Fulton mentioned, his patch(*) may fix the issue of using " in
the msg field of Snort rules but it doesn't cover all cases and may cause
other problems.  The alternative is to rewrite the troublesome rules.  I'm
currently using the following modified versions of sids 543-548,554 without
difficulty:  
                                        
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP (STOR 1MB) possible
warez site"; flow:to_server,established; content:"STOR 1MB"; nocase;
depth: 8; classtype:misc-activity; sid:543;  rev:5;)
                                                 
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP (RETR 1MB) possible
warez site"; flow:to_server,established; content:"RETR 1MB"; nocase; 
depth: 8; classtype:misc-activity; sid:544;  rev:5;)
                                                               
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP (CWD /) possible
warez site"; flow:to_server,established; content:"CWD / "; nocase; depth:
6; classtype:misc-activity; sid:545;  rev:4;)
                                                            
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP (CWD  ) possible
warez site"; flow:to_server,established; content:"CWD  "; nocase; 
depth 5; classtype:misc-activity; sid:546;  rev:5;)
                                                                
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP (MKD  ) possible
warez site"; flow:to_Server,established; content:"MKD  "; nocase;
depth: 5; classtype:misc-activity; sid:547;  rev:5;)
                                                      
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP (MKD . ) possible
warez site"; flow:to_server,established; content:"MKD ."; nocase; 
depth: 5; classtype:misc-activity; sid:548;  rev:5;)
                                                                
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP (MKD / ) possible
warez site"; flow:to_server,established; content:"MKD / "; nocase; 
depth: 6; classtype:misc-activity; sid:554;  rev:6;)

The difference is that in place of "s in the msg field I'm using
parentheses. 
   
-jon



(*) http://marc.theaimsgroup.com/?l=snort-devel&m=103880427700745&w=2





More information about the Snort-sigs mailing list