[Snort-sigs] First attempt at writing a sig
matt at ...2436...
Fri Dec 17 12:11:02 EST 2004
Not a bad run for a first sig. Thanks for posting it.
Why did you go home-home net? Why not home-any? Or even any-any? I'm not
that familiar with the tool, but I'd think the most interesting traffic
would be someone from the outside connecting to a local box.
As far as why it doesn't show right in acid, not sure. It is crafted
correctly. Try increasing the rev number and hitting it again. I wonder
if maybe the first time you had a hit the msg was empty, in which case
it won't take the new msg until the rev # increases.
I'll put this up on bleeding snort for more testing after we sort out
the reasons for the home-home.
Lance Boon wrote:
>This is my first attempt at writing a sig and wondered if anybody had
>any pointers. I got a pcap of a netop session to 2 different systems,
>ran it through snort and noticed that the content was the same on in one
>particular packet. So I wrote a rule for it, I have this working on my
>network right now and haven't had any false positives yet. The only
>thing that is bugging me and I'm sure that it's something that I'm
>missing is that when an alert hits it doesn't read "Netop Remote Control
>Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
>alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
>reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
More information about the Snort-sigs