[Snort-sigs] invalid references in snort rules

Nigel Houghton nigel at ...435...
Mon Oct 6 11:37:05 EDT 2003

Around 2:14pm Michael Pacheco said:

MP :Also ...
MP :
MP :Sid 108 is tagged in the current ruleset as "Unknown Datagram decoding
MP :problem"  but sid 108 is  "BACKDOOR QAZ Worm Client Login access" on the
MP :snort document site .. ???

Check the generator ID for that. Sid 108 from the ruleset (gen id 1) !=
108 from snort_decoder (gen id 116).

MP :I was recently testing the references for the rules and I found that the
MP :following URLs don't seem to be valid:

This is a problem with URL references in general, keeping things up to
date can be onerous.

MP :http://www.tlsecurity.net/backdoor/Dagger.1.4.html (sid 104, 105)
MP :http://www.bugtraq.org/dev/GOBBLES-12.txt (sid 1382) - I found a
MP :similarily-named document at
MP :http://www.attrition.org/security/advisory/gobbles/GOBBLES-12.txt
MP :http://labs.defcom.com/adv/2001/def-2001-31.txt (sid 1379)
MP :http://www.w00w00.org/files/w00aimexp/ (sid 1393, 1752) - should be
MP :http://www.w00w00.org/files/exploits/w00aimexp/ instead
MP :http://www.musiccity.com/technology.htm (sid 1383)

Duly noted and will update in the docs.

MP :Also, there's a typo in rule 2126 (reference specifies bugtaq instead of
MP :bugtraq).

Noted, thanks.

Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister

Message dated: Oct 6

More information about the Snort-sigs mailing list