[Snort-sigs] SIDS 1133 and 619

Steven Alexander alexander.s at ...1565...
Fri Jul 18 10:58:14 EDT 2003


The following rules use the exact same alert message and should probably
be differentiated.  In accordance with the alert messages for the other
portions of the Cybercop OS scan, I recommend that SID 619 contain "SCAN
cybercop os SF12 probe" and that SID 1133 contain "SCAN cybercop os SFP
probe".


-steven

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os
probe"; flags: SF12; dsize: 0; reference:arachnids,146;
classtype:attempted-recon; sid:619; rev:1;) 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN
cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags:SFP; ack: 0;
depth: 16;reference:arachnids,145; classtype:attempted-recon; sid:1133;
rev:6;) 




More information about the Snort-sigs mailing list