[Snort-sigs] Ares signature?
matt at ...2436...
Thu Aug 5 13:18:02 EDT 2004
Are you sure about not escaping within a content? (or uricontent) I've
not done it on a few rules recently and snort puked on the rule.
The version that's up now does hit on the string intended:
000 : 55 73 65 72 2D 41 67 65 6E 74 3A 20 41 72 65 73 User-Agent: Ares
I agree with you on the long term need for knowing the protocol, but I
do like these rules for their initial usefulness to find out how many of
these we'll see. The data we find and the types of packets we see will
let us learn and write better sigs.
Alex Kirk wrote:
> First off, your User-Agent rule is broken; you don't escape things in a
> regular content match like you would a pcre.
> Second, if you want to make sure that you catch this long-term -- they
> could easily change their User-Agent or the directory which they're
> fetching things from -- you need to know stuff unique to the protocol.
> Thus, you need pcaps, and hopefully some knowledge of what protocol
> you're running.
> I'd sent the original poster something off-list asking about the
> protocol and for pcaps, but since this has come up, I'm reiterating my
> request on-list, so everyone knows I'm willing to look into it.
More information about the Snort-sigs