[Snort-users] RE: [Snort-sigs] First attempt at writing a sig

Lance Boon lboon at ...2573...
Fri Dec 17 12:59:03 EST 2004


Thanks for the info, I deleted my waldo file on 1 sensor that was having
that same problem along with all of the old alerts restarted snort and
barnyard and all is happy now.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Esler,
Joel - Contractor
Sent: Friday, December 17, 2004 2:31 PM
To: snort-users at lists.sourceforge.net; snort-devel mailinglist
Subject: [Snort-users] RE: [Snort-sigs] First attempt at writing a sig

Sid-msg.map is only relevant if you are using barnyard.  Why can't we
get rid of sid-msg.map and have snort log the event name in unified?
For speed I am assuming...

Joel

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Lance Boon
Sent: Friday, December 17, 2004 3:21 PM
To: snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] First attempt at writing a sig


Thanks for pointing that out here's the updated rule

alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000000; rev:2;)

This caught my traffic going to my remote subnets. I tried increasing
the revision # as well but to no avail so I changed the sid to 2000001


alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000001; rev:1;)

Now it's showing up in Acid correctly

-----Original Message-----
From: Matt Jonkman [mailto:matt at ...2436...] 
Sent: Friday, December 17, 2004 2:10 PM
To: Lance Boon
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] First attempt at writing a sig

Not a bad run for a first sig. Thanks for posting it.

Why did you go home-home net? Why not home-any? Or even any-any? I'm not

that familiar with the tool, but I'd think the most interesting traffic 
would be someone from the outside connecting to a local box.

As far as why it doesn't show right in acid, not sure. It is crafted 
correctly. Try increasing the rev number and hitting it again. I wonder 
if maybe the first time you had a hit the msg was empty, in which case 
it won't take the new msg until the rev # increases.

I'll put this up on bleeding snort for more testing after we sort out 
the reasons for the home-home.

Matt

Lance Boon wrote:

>This is my first attempt at writing a sig and wondered if anybody had 
>any pointers. I got a pcap of a netop session to 2 different systems, 
>ran it through snort and noticed that the content was the same on in
one
>particular packet. So I wrote a rule for it, I have this working on my 
>network right now and haven't had any false positives yet. The only 
>thing that is bugging me and I'm sure that it's something that I'm 
>missing is that when an alert hits it doesn't read "Netop Remote
Control
>Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
>
>alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control 
>Usage"; content:"|554b30303736305337473130|";
>reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
>rev:1)
>  
>

-- 



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3739 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20041217/2d3c347f/attachment.bin>


More information about the Snort-sigs mailing list