[Snort-sigs] Fw: Snort Rules

alex dina alexander_dina at ...144...
Fri Feb 15 09:49:45 EST 2013

I am new to writing Snort rules, is there a manual, book or URL you can recommend to brush up on this? what about the sid:4200455 in the rule? 

 From: waldo kitty <wkitty42 at ...3507...>
To: snort-sigs at lists.sourceforge.net 
Sent: Thursday, February 14, 2013 7:24 PM
Subject: Re: [Snort-sigs] Fw: Snort Rules
On 2/14/2013 17:28, alex dina wrote:
> Also, can you please explain what these rule are looking for in a data packet?
> Thank you!
> alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
> content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
> sid:4200455; rev:1;)

what is there to explain? it is very simple... it is looking for content blocks 
of the following...

   GET /

all must appear in the same packet...

Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130215/3338b318/attachment.html>

More information about the Snort-sigs mailing list