[Snort-sigs] Windows RPC Interface access detect signature set (win-rpc.rules)

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Wed Jun 2 08:24:03 EDT 2004

FWIW... I believe the SID range for user-built sids to stay outside of
snort's reserved range starts at 1,000,000.

2.4.3 sid 
The sid keyword is used to uniquely identify Snort rules. This
information allows output plugins to identify rules easily. This option
should be used with the rev keyword. (See section 2.4.4) 

<100 Reserved for future use 
100-1,000,000 Rules included with the Snort distribution 
>1,000,000 Used for local rules 

The file sid-msg.map contains a mapping of alert messages to Snort rule
IDs. This information is useful when post-processing alert to map an ID
to an alert message. 


-----Original Message-----
From: Matthew Jonkman [mailto:matt at ...2436...] 
Sent: Wednesday, June 02, 2004 12:40 AM
To: kawa
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Windows RPC Interface access detect signature
set (win-rpc.rules)

With Kawa's permission I've added this set to the bleeding rules. But 
not in the compiled bleeding.rules file.

Added a separate dir called Stable-Side. These sigs are very 
interesting, but they can't be part of a regular ruleset without careful

consideration. They'll hit you with loads of events on your internal 
net. So use them where it's appropriate (external nets, etc).

I've added sid's and rev's. Available at http://snort.infotex.com in the


Thanks Kawa, these will be very valuable in tightening down a net.


kawa wrote:

> Hi, all.
> I made "Windows RPC Interface access detect signature set" with Urity.
> http://kawa.smokerz.net/d/file/win-rpc.rules  (v 1.0 2004/06/02)
> http://kawa.smokerz.net/d/?200405c&to=200405293#200405293 (Japanese)
> - It can detect Windows RPC Inferface access.
> - It can detect 43 RPC Interfaces.
> - It has 258 (43x6) signatures.
> - It can't detect particular attacks.
> - If unknown worms are released , it may detect.
> - Some signatures may overlap with snort signatures.
> If anyone knows other major RPC Interface ID, plz tell me.
> Thanks.

This SF.Net email is sponsored by the new InstallShield X.

More information about the Snort-sigs mailing list