[Snort-sigs] Rule #2000900

Matthew Jonkman matt at ...2436...
Thu Jul 29 15:46:02 EDT 2004


248 was removed. I forget why, was a bad rule.

The sid's aren't contiguous for a couple reasons:

Some rules are in stable-side
some have been removed
some days the admins here just have trouble counting  :)

We use a script to generate the sid-msg.map from the stable and 
stable/malware rules. But now that you mention it we should also pull 
from stable-side. I'll make that adjustment and update. That will fix 
most of the missing rules.

Thanks for pointing it out.

Matt

Ole-Martin wrote:
> Good!
> 
> Rule 2000428 is also missing from the sid by the way... :)
> 
> Some other might be missing as well...
> 
> linux:/etc/snort/rules # cat bleeding-sid-msg.map | grep 2000 |wc -l
>   301
> linux:/etc/snort/rules # grep sid:2000 bleeding*rules* | wc -l
>   325
> 
> I'm not complaining though - I could just write a script to handle
> this the proper way including my local.rules, just thought you'd like
> to know...
> 
> --
> Ole-Martin
> 
> On Thu, 29 Jul 2004 09:22:29 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> 
>>I am also catching a lot of things not caught before with that rule.
>>Seeing a lot of tcp traffic too.
>>
>>Anyway, the sid map was broken, thanks for pointing that out. I didn't
>>adjust the scripts when I moved the malware rules. It's fixed now. Thanks
>>
>>Matt
>>
>>
>>
>>Ole-Martin wrote:
>>
>>
>>>Hi!
>>>
>>>I just wanted to say I've found good use of the 2000900 rule in
>>>bleeding (BLEEDING-EDGE Malware JoltID Agent Probing or Announcing
>>>UDP).
>>>
>>>I think it might be included with KaZaA now and that makes it easy to
>>>find machines that violates company policy.
>>>
>>>Why isn't 20009xx rules in bleeding-sid-msg.map ?
>>>
>>>
>>>--
>>>Ole-Martin
>>>
>>>
>>
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list