[Snort-sigs] RE: [snort-cvs] CVS: snort - cazz

Brian bmc at ...95...
Sun Jan 26 15:33:04 EST 2003


On Sun, Jan 26, 2003 at 12:10:19PM -0600, Kreimendahl, Chad J wrote:
> Quick question about the large list of newly deleted rules.  I noticed a
> ton of DeepThroat rules removed... with a note above them talking about
> the back orifice preprocessor.  Does this mean that spp_bo is supposed
> to catch all of those rules?

The comment was in reference to the deletion of sid:116.

Deletion of the deepthroad rules was because of the massive number of
duplication and waste.

I trimmed down 65 DeepThroat rules down to 6.  And those 6 will get
beter once we get port lists.


> Also, the following comment:
> # The following ftp rules look for specific exploits, which are not
> needed now
> # that initial protocol decoding is available.
> 
> Is there an ftp preprocessor/decoder out there? I don't see it in the
> current CVS.

No.  Thanks to distance and within, we can do basic protocol
verification.  The protocol verification rules work MUCH better than
exploit specific shellcode style rules.  Sid 337 is a perfect example
of a "protocol verification" style rule.

-brian




More information about the Snort-sigs mailing list