[Snort-sigs] Few posistives on several rules on POP3

Cedric Foll cedric.foll at ...1947...
Sat Oct 25 15:47:15 EDT 2003

> 	* If you're using the default rules, you're probably not running
> in a 'real environment'.
> 	* Write your own rules.

I write my own rules. But I'm not going to re-write all the 2039 rules.
And re-write them at each updates. I just have no time to do that.

I write my own rules for my network, but I'd I like that default rules
work as well at possible. So I'm ok to fill the local.rules, but I would
like to not have to touch to other one (only disactivate few one with

Snort is a free software, the goal of that is improving the software by
community. So when someone send an improvement on the list, it should be
a good idea to include it in the rules files.

For example I've wrote (and submit on this list) rules to detect
E-donkey few weeks ago. But these rules haven't been included in the
I don't blame the maintener of rules files, but if his amount of work is
to important, few other peoples can help him. For example I'd be agree
to maintain the p2p.rules file.

My rules for Edonkey:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Edonkey connection
client"; flow:established,to_server; content:"|e3|"; offset:0; depth:1;
content:"|00 00 00 01|"; offset:2; depth:4; dsize:<256;
classtype:policy-violation; sid:10000001; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Edonkey Serveur
Message"; flow:established,to_client; content:"|e3|"; offset:0; depth:1;
content:"|00 00 00 38|"; offset:2; depth:4; dsize:<256;
classtype:policy-violation; sid:10000002; rev:2;)

> Think of it like the default
> Solaris inetd.conf--It's there and it works, but you're _much_ better off
> to rework it for your self.  Same idea here.  If you don't like the way
> that a sig works--Change it.  It's that simple.

I'm agree with you, but inetd.conf doesn't have so many entries and no
need to be update very often.

> * Writing your own rules:  See above. :)  Design your own rules for your
> own network.  It's not that hard, it's just that most people don't want to
> take the time to write rules.  They would rather make use of the generic
> default sigs than to build specific ones for their own network.

I'm agree that it's not hard.
But every one can't be a specialist of each protocol, and can't be aware
of each new flaw (I admit that I don't read bugtraq, I know I should but
I'm network administrator and security is'nt my only job).

Cedric Foll
Ingénieur réseaux, Rectorat de Rouen
mèl: cedric.foll at ...1947...
tèl: 02 35 14 77 51

"L'orgueil a plus de part que la bonté 
aux remontrances que nous faisons à 
ceux qui commettent des fautes; et nous 
ne les reprenons pas tant pour les en 
corriger que pour leur persuader que 
nous en sommes exempts."
La rochefoucauld

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031025/b62447f9/attachment.sig>

More information about the Snort-sigs mailing list