[Snort-sigs] correct of signature sid:1685

Choudhary, Anil achoudhary at ...1651...
Tue Sep 23 02:49:05 EDT 2003


following two signature has same content
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE
all_tab_columns access"; flow:to_server,established;
content:"all_tab_columns"; nocase; classtype:protocol-command-decode;
sid:1684; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE
all_tab_privs access"; flow:to_server,established;
content:"all_tab_columns"; nocase; classtype:protocol-command-decode;
sid:1685; rev:3;)
the signature for ORACLE all_tab_privs access should have content as "ORACLE
all_tab_privs"
please correct me if i am wrong
regards
 anil
-----Original Message-----
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net]
Sent: Tuesday, September 23, 2003 8:56 AM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #712 - 2 msgs


Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. SID 556 contrib (Gene Gomez)
   2. Re: SNORT HELP (Matt Kettler)

--__--__--

Message: 1
Date: Fri, 19 Sep 2003 10:23:38 -0700
From: "Gene Gomez" <gegomez at ...1889...>
To: <snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] SID 556 contrib

This is a multi-part message in MIME format.

------_=_NextPart_001_01C37ED2.C39D04E3
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Rule: =20

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella
client request"; flow:to_server,established; content:"GNUTELLA CONNECT";
depth:40; classtype:policy-violation; sid:556; rev:5;)=20

--

Sid:

556

--

Summary:

A network-internal client has connected to an external GNUTella server
and issued a connect attempt to begin communications.

--

Impact:

Possible policy violation.

--

Detailed Information:

GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary
files.  Depending on your site's policies, using it may be a policy
violation.

If not propely configured, GNUTella clients may accidentally share out
confidential files.  GNUTella worms (which use deceptive names to
encourage download) and viruses may also be accidentally downloaded by a
client.

--

Affected Systems:

Any system with a GNUTella client installed (available for most
platforms)

--

Attack Scenarios:

N/A

--

Ease of Attack:

N/A

--

False Positives:

None known.

--

False Negatives:

None known.

--

Corrective Action:

Depends on acceptable use policies.

--

Contributors:

Gene R Gomez (gene!AT!gomezbrothers!DOT!com)

--=20

Additional References:

http://www.gnutella.com


------_=_NextPart_001_01C37ED2.C39D04E3
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Rule:  </span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P =
Outbound
GNUTella client request"; flow:to_server,established; =
content:"GNUTELLA
CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;) =
</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Sid:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>556</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Summary:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>A network-internal client has connected to an external GNUTella =
server
and issued a connect attempt to begin communications.</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Impact:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Possible policy violation.</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Detailed Information:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>GNUTella is a P2P (Peer-to-Peer) protocol for exchanging =
arbitrary
files.  Depending on your site's policies, using it may be a policy =
violation.</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>If not propely configured, GNUTella clients may accidentally =
share out
confidential files.  GNUTella worms (which use deceptive names to =
encourage
download) and viruses may also be accidentally downloaded by a =
client.</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Affected Systems:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Any system with a GNUTella client installed (available for most
platforms)</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Attack Scenarios:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>N/A</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Ease of Attack:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>N/A</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>False Positives:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>None known.</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>False Negatives:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>None known.</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Corrective Action:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Depends on acceptable use policies.</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>--</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Contributors:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Gene R Gomez (gene!AT!gomezbrothers!DOT!com)</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>-- </span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Additional References:</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>http://www.gnutella.com</span></font></p>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C37ED2.C39D04E3--


--__--__--

Message: 2
Date: Mon, 22 Sep 2003 11:16:30 -0400
To: acastellani at ...1891..., snort-sigs at lists.sourceforge.net
From: Matt Kettler <mkettler at ...189...>
Subject: Re: [Snort-sigs] SNORT HELP

At 03:02 PM 9/19/2003, acastellani at ...1891... wrote:
>Is there a location I can submit questions for help with Snort.  We are
>running 2.0 and would like to set Snort to monitor and alarm all outgoing
>port 80 traffic.  I am not sure if there is a group I could submit these
>type of questions too.


In general I'd suggest asking them on the snort-users mailing list for 
general questions. If you're doing custom rule development, then this 
list  (snort-sigs) would be proper one, but anything else should go to the 
snort-users list.

Also in the case of general questions be sure to stop by the www.snort.org 
website and check the faq first.


As for your specific question, it has to do with rule development, so this 
is the proper list for it.

You didn't really specify if the outbound traffic was from port 80, or to 
port 80, so I made rules for each. I'm also assuming that you're interested 
tcp port 80, not udp port 80.

If you want to alert on all outgoing traffic _TO_ port 80 you might want 
something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"outbound traffic to http 
server";sid:1000000; rev:1;)

If you want all outgoing traffic _FROM_ port 80 on your end:

alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"outbound traffic from 
local http server"; sid:1000001; rev:1;)

If you only want to catch the fact that a connection was established, add 
"flags:S+;" between the msg and the sid parts, as it stands these rules 
will alert for each and every packet on the local half of a http
conversation.








--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030923/c4db04f3/attachment.html>


More information about the Snort-sigs mailing list