[Snort-sigs] Ares signature?

Matthew Jonkman matt at ...2436...
Thu Aug 5 13:18:02 EDT 2004


Are you sure about not escaping within a content? (or uricontent) I've 
not done it on a few rules recently and snort puked on the rule.

The version that's up now does hit on the string intended:

000 : 55 73 65 72 2D 41 67 65 6E 74 3A 20 41 72 65 73   User-Agent: Ares

I agree with you on the long term need for knowing the protocol, but I 
do like these rules for their initial usefulness to find out how many of 
these we'll see. The data we find and the types of packets we see will 
let us learn and write better sigs.

Thanks

Matt

Alex Kirk wrote:

> First off, your User-Agent rule is broken; you don't escape things in a 
> regular content match like you would a pcre.
> 
> Second, if you want to make sure that you catch this long-term -- they 
> could easily change their User-Agent or the directory which they're 
> fetching things from -- you need to know stuff unique to the protocol. 
> Thus, you need pcaps, and hopefully some knowledge of what protocol 
> you're running.
> 
> I'd sent the original poster something  off-list asking about the 
> protocol and for pcaps, but since this has come up, I'm reiterating my 
> request on-list, so everyone knows I'm willing to look into it.





More information about the Snort-sigs mailing list