[Snort-sigs] Fw: Snort Rules

Alex McDonnell amcdonnell at ...435...
Fri Feb 15 10:02:11 EST 2013


http://manual.snort.org/  should help you lots

On Fri, Feb 15, 2013 at 9:49 AM, alex dina <alexander_dina at ...144...> wrote:

> I am new to writing Snort rules, is there a manual, book or URL you can
> recommend to brush up on this? what about the sid:4200455 in the rule?
>
>   *From:* waldo kitty <wkitty42 at ...3507...>
> *To:* snort-sigs at lists.sourceforge.net
> *Sent:* Thursday, February 14, 2013 7:24 PM
> *Subject:* Re: [Snort-sigs] Fw: Snort Rules
>
> On 2/14/2013 17:28, alex dina wrote:
> > Also, can you please explain what these rule are looking for in a data
> packet?
> > Thank you!
> >
> > alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
> > content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
> > sid:4200455; rev:1;)
>
>
> what is there to explain? it is very simple... it is looking for content
> blocks
> of the following...
>
>   GET /
>   .asp?est=
>   &hn=
>   &ha=
>
> all must appear in the same packet...
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130215/efa7675d/attachment.html>


More information about the Snort-sigs mailing list