[Snort-sigs] First attempt at writing a sig

Lance Boon lboon at ...2573...
Fri Dec 17 13:04:01 EST 2004

I want to thank everyone that responded to this thread your insight and
suggestions are greatly appreciated.

-----Original Message-----
From: Matt Jonkman [mailto:matt at ...2436...] 
Sent: Friday, December 17, 2004 2:40 PM
To: Lance Boon
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] First attempt at writing a sig

Looks good now. I'll post this to bleedings snort and we'll see what 
other feedback comes of it.


Lance Boon wrote:

>Thanks for pointing that out here's the updated rule
>alert udp any any -> any any (msg:"Netop Remote Control Usage";
>content:"|554b30303736305337473130|"; reference:url,www.netop.com;
>classtype:policy-violation; sid:2000000; rev:2;)
>This caught my traffic going to my remote subnets. I tried increasing
>the revision # as well but to no avail so I changed the sid to 2000001
>alert udp any any -> any any (msg:"Netop Remote Control Usage";
>content:"|554b30303736305337473130|"; reference:url,www.netop.com;
>classtype:policy-violation; sid:2000001; rev:1;)
>Now it's showing up in Acid correctly
>-----Original Message-----
>From: Matt Jonkman [mailto:matt at ...2436...] 
>Sent: Friday, December 17, 2004 2:10 PM
>To: Lance Boon
>Cc: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] First attempt at writing a sig
>Not a bad run for a first sig. Thanks for posting it.
>Why did you go home-home net? Why not home-any? Or even any-any? I'm
>that familiar with the tool, but I'd think the most interesting traffic

>would be someone from the outside connecting to a local box.
>As far as why it doesn't show right in acid, not sure. It is crafted 
>correctly. Try increasing the rev number and hitting it again. I wonder

>if maybe the first time you had a hit the msg was empty, in which case 
>it won't take the new msg until the rev # increases.
>I'll put this up on bleeding snort for more testing after we sort out 
>the reasons for the home-home.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3739 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20041217/646a104b/attachment.bin>

More information about the Snort-sigs mailing list