[Snort-sigs] snort-rules with resp

Erek Adams erek at ...95...
Wed Jul 30 21:28:09 EDT 2003

On Wed, 31 Jul 2003, Alexandru Balan wrote:

> <disclaimer> i'm a snort newbie </disclaimer>

<disclaimer> I'm an "old fart" with regards to Snort. </disclaimer>  ;-)

> A few questions:
> will snort release rules with flexresp ? manually adding responses to
> 2845 rules ( which came with rules-current.tgz) is kinda hard

Well...  Not that hard.

	sed 's/sid:/resp:rst_all; sid:/' *.rules > /tmp/new_rules

> in percentange, how many public exploits are recognized in the latest
> snortrules-current ? if not many, do i have to write them or is there
> some location i can get them from ? (uptodate if possible). I tested a
> few exploits and snort let them through without even a warning ( e.g. x2
> - ssh remote exploit )

The newest things are usually added as quickly as a pcap of the traffic
can be obtained or as soon the exploit is available.

Of course, if you want to write your own sigs for something and then
submit them, we won't mind.  ;-)

As for the reason that some things don't alert:  Depending if there is a
rule for the issue, it might be due to how flow is used with the rules.
"flow: established, to_server" on a rule will cause it to only fire if the
data is on an established connection headed to the server.  If your
testing program never makes the full connection, the rule won't fire.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-sigs mailing list