[Snort-sigs] RE: [snort-cvs] CVS: snort - cazz
Kreimendahl, Chad J
Chad.Kreimendahl at ...361...
Mon Jan 27 07:14:06 EST 2003
From: Brian [mailto:bmc at ...95...]
Sent: Sunday, January 26, 2003 5:31 PM
To: Kreimendahl, Chad J
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RE: [snort-cvs] CVS: snort - cazz
On Sun, Jan 26, 2003 at 12:10:19PM -0600, Kreimendahl, Chad J wrote:
> Quick question about the large list of newly deleted rules. I noticed
> ton of DeepThroat rules removed... with a note above them talking
> the back orifice preprocessor. Does this mean that spp_bo is supposed
> to catch all of those rules?
The comment was in reference to the deletion of sid:116.
Deletion of the deepthroad rules was because of the massive number of
duplication and waste.
I trimmed down 65 DeepThroat rules down to 6. And those 6 will get
beter once we get port lists.
> Also, the following comment:
> # The following ftp rules look for specific exploits, which are not
> needed now
> # that initial protocol decoding is available.
> Is there an ftp preprocessor/decoder out there? I don't see it in the
> current CVS.
No. Thanks to distance and within, we can do basic protocol
verification. The protocol verification rules work MUCH better than
exploit specific shellcode style rules. Sid 337 is a perfect example
of a "protocol verification" style rule.
More information about the Snort-sigs