[Snort-sigs] RE: [snort-cvs] CVS: snort - cazz

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jan 27 07:14:06 EST 2003


sweet, thanks

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Sunday, January 26, 2003 5:31 PM
To: Kreimendahl, Chad J
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RE: [snort-cvs] CVS: snort - cazz


On Sun, Jan 26, 2003 at 12:10:19PM -0600, Kreimendahl, Chad J wrote:
> Quick question about the large list of newly deleted rules.  I noticed
a
> ton of DeepThroat rules removed... with a note above them talking
about
> the back orifice preprocessor.  Does this mean that spp_bo is supposed
> to catch all of those rules?

The comment was in reference to the deletion of sid:116.

Deletion of the deepthroad rules was because of the massive number of
duplication and waste.

I trimmed down 65 DeepThroat rules down to 6.  And those 6 will get
beter once we get port lists.


> Also, the following comment:
> # The following ftp rules look for specific exploits, which are not
> needed now
> # that initial protocol decoding is available.
> 
> Is there an ftp preprocessor/decoder out there? I don't see it in the
> current CVS.

No.  Thanks to distance and within, we can do basic protocol
verification.  The protocol verification rules work MUCH better than
exploit specific shellcode style rules.  Sid 337 is a perfect example
of a "protocol verification" style rule.

-brian




More information about the Snort-sigs mailing list