[Snort-sigs] rule revision tracking

Joshua Berry jberry at ...2562...
Fri Jul 9 13:28:01 EDT 2004


ACID doesn't display it, but it is there in the signature table under
the sig_rev column.  You could add a little hack to your ACID display to
include it in the output.

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of John Nagro
Sent: Friday, July 09, 2004 2:25 PM
To: Matthew Watchinski
Cc: snort-sigs at lists.sourceforge.net; snort-userss at lists.sourceforge.net
Subject: Re: [Snort-sigs] rule revision tracking

I might be missing something, but i dont think acid displays this kind
of data? am i wrong?

Thanks for the tips though, i might be able to figure something else
out.

-John

On Fri, 09 Jul 2004 12:29:43 -0400, Matthew Watchinski
<mwatchinski at ...435...> wrote:
> Most output modes / plugins (i think all of them) return the
gen:sid:rev
> 
> 07/09-12:26:12.591044  [**]
> 
> [1:1417:9] = gen_id 1 , sid 1417 , rev 9
> 
>  SNMP request udp [**] [Classification: Attempted Information Leak]
> [Priority: 2] {UDP} 10.4.10.52:1029 -> 10.1.1.204:161
> 07/09-12:26:12.591044 0:C:29:96:DF:A2 -> 0:F:24:2A:50:30 type:0x800
len:0x7C
> 10.4.10.52:1029 -> 10.1.1.204:161 UDP TTL:128 TOS:0x0 ID:21184
IpLen:20
> DgmLen:106
> Len: 78
> 30 4C 02 01 00 04 06 70 75 62 6C 69 63 A0 3F 02  0L.....public.?.
> 02 04 EC 02 01 00 02 01 00 30 33 30 0F 06 0B 2B  .........030...+
> 06 01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B  ............0...
> 2B 06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06  +............0..
> 0B 2B 06 01 02 01 19 03 05 01 02 01 05 00        .+............
> 
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
> 
> Cheers,
> -matt
> 
> 
> 
> John Nagro wrote:
> 
> >With the fairly frequent changes to rule sets (espcially in
bleedingsnort and
> >custom rules made up as a rapid response to an attack/virus/etc) it
> >would be nice
> >to be able to tell which revision # of a rule set off an alert in
> >question. I dont
> >think there is currently any way to track this, but if there is could
> >someone clue
> >me in?
> >
> >Thanks!
> >
> >-John
> >
> >
> >-------------------------------------------------------
> >This SF.Net email sponsored by Black Hat Briefings & Training.
> >Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> >digital self defense, top technical experts, no vendor pitches,
> >unmatched networking opportunities. Visit www.blackhat.com
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> >
> 
>


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list