[Snort-sigs] First attempt at writing a sig

Hogan, Adam (A.W.) ahogan9 at ...2936...
Fri Dec 17 12:20:22 EST 2004


For it to show up as "Netop Remote Control Usage" in ACID you have to
add the entry to your sid-msg.map file, like this:

2000000 || Netop Remote Control Usage

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Lance Boon
Sent: Friday, December 17, 2004 3:03 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] First attempt at writing a sig


This is my first attempt at writing a sig and wondered if anybody had
any pointers. I got a pcap of a netop session to 2 different systems,
ran it through snort and noticed that the content was the same on in one
particular packet. So I wrote a rule for it, I have this working on my
network right now and haven't had any false positives yet. The only
thing that is bugging me and I'm sure that it's something that I'm
missing is that when an alert hits it doesn't read "Netop Remote Control
Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0] 

alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
Usage"; content:"|554b30303736305337473130|";
reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
rev:1)




More information about the Snort-sigs mailing list