[Snort-sigs] First attempt at writing a sig

Matt Jonkman matt at ...2436...
Fri Dec 17 12:11:02 EST 2004

Not a bad run for a first sig. Thanks for posting it.

Why did you go home-home net? Why not home-any? Or even any-any? I'm not 
that familiar with the tool, but I'd think the most interesting traffic 
would be someone from the outside connecting to a local box.

As far as why it doesn't show right in acid, not sure. It is crafted 
correctly. Try increasing the rev number and hitting it again. I wonder 
if maybe the first time you had a hit the msg was empty, in which case 
it won't take the new msg until the rev # increases.

I'll put this up on bleeding snort for more testing after we sort out 
the reasons for the home-home.


Lance Boon wrote:

>This is my first attempt at writing a sig and wondered if anybody had
>any pointers. I got a pcap of a netop session to 2 different systems,
>ran it through snort and noticed that the content was the same on in one
>particular packet. So I wrote a rule for it, I have this working on my
>network right now and haven't had any false positives yet. The only
>thing that is bugging me and I'm sure that it's something that I'm
>missing is that when an alert hits it doesn't read "Netop Remote Control
>Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0] 
>alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
>Usage"; content:"|554b30303736305337473130|";
>reference:url,www.netop.com; classtype:policy-violation; sid:2000000;


More information about the Snort-sigs mailing list