[Snort-sigs] (no subject)

waldo kitty wkitty42 at ...3507...
Mon Apr 29 14:12:35 EDT 2013


On 4/29/2013 13:05, Chukhaltsetseg Shijirbaatar wrote:
> Are this rules bad?

1. what rules?
   a. if you are talking about the two rules you posted in another thread, their 
structure looks ok...

   b. do you really mean for the references in those two rules to point to the 
P2P tracker server? they should point to an article or short description of the 
rule and why it was written the way it is...

   c. the second rule has too many '/' in the reference...

   d. the second rule is apparently to detect traffic from the client to the 
server but the first rule doesn't indicate any direction... this is ok in some 
cases...

   e. the first rule should fire on any occurrence of "www.mininova.org" in 
any/all traffic... this posting should trigger it as your original post would 
have triggered it if that snort is looking at this connection...

2. what do you consider "bad"?


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-sigs mailing list