[Snort-sigs] rule revision tracking

John Nagro john.nagro at ...2420...
Fri Jul 9 12:26:02 EDT 2004


I might be missing something, but i dont think acid displays this kind
of data? am i wrong?

Thanks for the tips though, i might be able to figure something else out.

-John

On Fri, 09 Jul 2004 12:29:43 -0400, Matthew Watchinski
<mwatchinski at ...435...> wrote:
> Most output modes / plugins (i think all of them) return the gen:sid:rev
> 
> 07/09-12:26:12.591044  [**]
> 
> [1:1417:9] = gen_id 1 , sid 1417 , rev 9
> 
>  SNMP request udp [**] [Classification: Attempted Information Leak]
> [Priority: 2] {UDP} 10.4.10.52:1029 -> 10.1.1.204:161
> 07/09-12:26:12.591044 0:C:29:96:DF:A2 -> 0:F:24:2A:50:30 type:0x800 len:0x7C
> 10.4.10.52:1029 -> 10.1.1.204:161 UDP TTL:128 TOS:0x0 ID:21184 IpLen:20
> DgmLen:106
> Len: 78
> 30 4C 02 01 00 04 06 70 75 62 6C 69 63 A0 3F 02  0L.....public.?.
> 02 04 EC 02 01 00 02 01 00 30 33 30 0F 06 0B 2B  .........030...+
> 06 01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B  ............0...
> 2B 06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06  +............0..
> 0B 2B 06 01 02 01 19 03 05 01 02 01 05 00        .+............
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> Cheers,
> -matt
> 
> 
> 
> John Nagro wrote:
> 
> >With the fairly frequent changes to rule sets (espcially in bleedingsnort and
> >custom rules made up as a rapid response to an attack/virus/etc) it
> >would be nice
> >to be able to tell which revision # of a rule set off an alert in
> >question. I dont
> >think there is currently any way to track this, but if there is could
> >someone clue
> >me in?
> >
> >Thanks!
> >
> >-John
> >
> >
> >-------------------------------------------------------
> >This SF.Net email sponsored by Black Hat Briefings & Training.
> >Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> >digital self defense, top technical experts, no vendor pitches,
> >unmatched networking opportunities. Visit www.blackhat.com
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> >
> 
>




More information about the Snort-sigs mailing list