[Snort-sigs] First attempt at writing a sig

Lance Boon lboon at ...2573...
Fri Dec 17 12:16:12 EST 2004

Netop defaults to port 6502 but can be configured for any port.  I have
2000000 || Netop Remote Control Usage || url,www.netop.com in the
sid-msg.map and have SIGHUP'd snort cleared out the alert in acid and
opened up netop again but still no difference just Snort Alert on the
acid page.

-----Original Message-----
From: David Lowless [mailto:dlowless at ...2771...] 
Sent: Friday, December 17, 2004 2:06 PM
To: Lance Boon
Subject: Re: [Snort-sigs] First attempt at writing a sig

You need to update /path/to/rules/sid-msg.map

Also can netop use any port? if not the second "any" in the rule will
stop false postives.

hope that helps you.

----- Original Message ----- 
From: "Lance Boon" <lboon at ...2573...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Friday, December 17, 2004 8:03 PM
Subject: [Snort-sigs] First attempt at writing a sig

> This is my first attempt at writing a sig and wondered if anybody had
> any pointers. I got a pcap of a netop session to 2 different systems,
> ran it through snort and noticed that the content was the same on in
> particular packet. So I wrote a rule for it, I have this working on my
> network right now and haven't had any false positives yet. The only
> thing that is bugging me and I'm sure that it's something that I'm
> missing is that when an alert hits it doesn't read "Netop Remote
> Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
> alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
> Usage"; content:"|554b30303736305337473130|";
> reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
> rev:1)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3739 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20041217/db9e8904/attachment.bin>

More information about the Snort-sigs mailing list