[Snort-sigs] Fw: Snort Rules
wkitty42 at ...3507...
Fri Feb 15 22:53:52 EST 2013
On 2/15/2013 09:49, alex dina wrote:
> I am new to writing Snort rules,
> is there a manual, book or URL you can recommend to brush up on this?
others have responded with what i would also point to... snort rules are not
that hard to decipher ;)
> what about the sid:4200455 in the rule?
that is simply an ID number... they can change when one submits their rules to
those who may publish them... it is just a number which is used to correlate the
alerts generated by it... outside of that, it really doesn't mean all that much...
> *From:* waldo kitty <wkitty42 at ...3507...>
> *To:* snort-sigs at lists.sourceforge.net
> *Sent:* Thursday, February 14, 2013 7:24 PM
> *Subject:* Re: [Snort-sigs] Fw: Snort Rules
> On 2/14/2013 17:28, alex dina wrote:
> > Also, can you please explain what these rule are looking for in a data packet?
> > Thank you!
> > alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
> > content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
> > sid:4200455; rev:1;)
> what is there to explain? it is very simple... it is looking for content blocks
> of the following...
> GET /
> all must appear in the same packet...
More information about the Snort-sigs