[Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

Jeff Dell jdell at ...178...
Wed Jun 8 14:23:17 EDT 2005


 
> # this is my crazy rule, watch out!
> var STASH $HTTP_PORTS
> var HTTP_PORTS [4323:5000]
> alert tcp any any -> any $HTTP_PORTS (msg:"crazy rule"; sid: 
> 111111111; ... ) var HTTP_PORTS 9999 alert tcp any any -> any 
> $HTTP_PORTS (msg:"crazy rule"; sid: 111111111; ... ) var 
> HTTP_PORTS $STASH # okay, the craziness is done.

I remember when a certain Snort Rules Nazi did just this with snort.org
rules because commercial IDS vendors were automatically sucking down the
snort rules and claiming they were theirs... But he wasn't so nice with the
rule... I guess that's one way to stop them. :)

Cheers,

Jeff





More information about the Snort-sigs mailing list