[Snort-sigs] Fw: Snort Rules

alex dina alexander_dina at ...144...
Fri Feb 15 09:49:45 EST 2013


I am new to writing Snort rules, is there a manual, book or URL you can recommend to brush up on this? what about the sid:4200455 in the rule? 
  

________________________________
 From: waldo kitty <wkitty42 at ...3507...>
To: snort-sigs at lists.sourceforge.net 
Sent: Thursday, February 14, 2013 7:24 PM
Subject: Re: [Snort-sigs] Fw: Snort Rules
  
On 2/14/2013 17:28, alex dina wrote:
> Also, can you please explain what these rule are looking for in a data packet?
> Thank you!
>
> alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
> content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
> sid:4200455; rev:1;)


what is there to explain? it is very simple... it is looking for content blocks 
of the following...

   GET /
   .asp?est=
   &hn=
   &ha=

all must appear in the same packet...

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130215/3338b318/attachment.html>


More information about the Snort-sigs mailing list