[Snort-sigs] Fw: Snort Rules

waldo kitty wkitty42 at ...3507...
Fri Feb 15 22:53:52 EST 2013


On 2/15/2013 09:49, alex dina wrote:
> I am new to writing Snort rules,

okay...

> is there a manual, book or URL you can recommend to brush up on this?

others have responded with what i would also point to... snort rules are not 
that hard to decipher ;)

> what about the sid:4200455 in the rule?

that is simply an ID number... they can change when one submits their rules to 
those who may publish them... it is just a number which is used to correlate the 
alerts generated by it... outside of that, it really doesn't mean all that much...

> *From:* waldo kitty <wkitty42 at ...3507...>
> *To:* snort-sigs at lists.sourceforge.net
> *Sent:* Thursday, February 14, 2013 7:24 PM
> *Subject:* Re: [Snort-sigs] Fw: Snort Rules
>
> On 2/14/2013 17:28, alex dina wrote:
>  > Also, can you please explain what these rule are looking for in a data packet?
>  > Thank you!
>  >
>  > alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
>  > content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
>  > sid:4200455; rev:1;)
>
>
> what is there to explain? it is very simple... it is looking for content blocks
> of the following...
>
> GET /
> .asp?est=
> &hn=
> &ha=
>
> all must appear in the same packet...






More information about the Snort-sigs mailing list