[Snort-sigs] Rule #2000900

Ole-Martin olebakk at ...2420...
Thu Jul 29 14:15:04 EDT 2004


Good!

Rule 2000428 is also missing from the sid by the way... :)

Some other might be missing as well...

linux:/etc/snort/rules # cat bleeding-sid-msg.map | grep 2000 |wc -l
  301
linux:/etc/snort/rules # grep sid:2000 bleeding*rules* | wc -l
  325

I'm not complaining though - I could just write a script to handle
this the proper way including my local.rules, just thought you'd like
to know...

--
Ole-Martin

On Thu, 29 Jul 2004 09:22:29 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> I am also catching a lot of things not caught before with that rule.
> Seeing a lot of tcp traffic too.
> 
> Anyway, the sid map was broken, thanks for pointing that out. I didn't
> adjust the scripts when I moved the malware rules. It's fixed now. Thanks
> 
> Matt
> 
> 
> 
> Ole-Martin wrote:
> 
> > Hi!
> >
> > I just wanted to say I've found good use of the 2000900 rule in
> > bleeding (BLEEDING-EDGE Malware JoltID Agent Probing or Announcing
> > UDP).
> >
> > I think it might be included with KaZaA now and that makes it easy to
> > find machines that violates company policy.
> >
> > Why isn't 20009xx rules in bleeding-sid-msg.map ?
> >
> >
> > --
> > Ole-Martin
> >
> >
>




More information about the Snort-sigs mailing list