[Snort-sigs] Ares signature?

Alex Kirk alex.kirk at ...435...
Thu Aug 5 12:32:20 EDT 2004


D'oh! I've just been informed by someone else here on the rules team 
that you would indeed escape out a : in a content match, because it's a 
reserved character.

That's what I get for feeling like I'm getting good at this whole rules 
bit after only a few months on the team.

Alex Kirk

> See how these work out:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Ares traffic"; 
> content:"User-Agent\: Ares"; reference:url,www.aresgalaxy.org; 
> classtype:policy-violation; sid:1000001; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Ares GET"; 
> content:"GET /ares/"; reference:url,www.aresgalaxy.org; 
> classtype:policy-violation; sid:1000002; rev:1;)
>
> -----Original Message-----
>
> From: snort-sigs-admin at lists.sourceforge.net 
> [_mailto:snort-sigs-admin at ...2711...] On Behalf Of Tony 
> Hernandez
>
> Sent: Thursday, August 05, 2004 9:57 AM
>
> To: snort-sigs at lists.sourceforge.net
>
> Subject: [Snort-sigs] Ares signature?
>
>  
>
> Has anyone been able to come up with a sig for this type of p2p software?
>
> _http://www.aresgalaxy.org/_
>
> I have looked at some captures but I dont see anything right off the 
> bat that looks like I can get a sig from. Anyone inspect and wirte a 
> sig for this one yet?
>
>  
>
>  
>
> Tony Hernandez
>
> Network Engineer
>
> Dept. of Housing and Residence Education
>
> University of Florida
>
>  
>
> -------------------------------------------------------
>
> This SF.Net email is sponsored by OSTG. Have you noticed the changes 
> on Linux.com, ITManagersJournal and NewsForge in the past few weeks? 
> Now, one more big change to announce. We are now OSTG- Open Source 
> Technology Group. Come see the changes on the new OSTG site. 
> _www.ostg.com_ 
> <http://mailcenter2.comcast.net/wm/toolbar/www.ostg.com> 
> _______________________________________________
>
> Snort-sigs mailing list
>
> Snort-sigs at lists.sourceforge.net 
> _https://lists.sourceforge.net/lists/listinfo/snort-sigs_
>





More information about the Snort-sigs mailing list