[Snort-sigs] Snort Rules Enquiry

Jamie Riden jamie.riden at ...2420...
Tue May 26 02:40:55 EDT 2015


There should be some content that looks like this - not this itself, I
stole it from fwsnort - but you get the general idea.

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router
advertisement"; itype:9; reference:arachnids,173;
reference:bugtraq,578; reference:cve,1999-0875;
classtype:misc-activity; sid:363; rev:7;)

Obviously, uncommenting it is left as an (easy) excercise for the
reader. If 2973 seems to be empty, try grabbing an older version.

cheers,
 Jamie

On 26 May 2015 at 06:16, Diego Batigoal <diegobatigoal at ...3718...> wrote:
> Hi,
> Just got stuck in the setup of the pdf CEH Lab Manual Page 860-861.
> I have downloaded the Snort 2973 and also downloaded the
> snortrules-snapshot-2973.tar rules but the rules all seem to be empty
> containing just the copyright information.
>
> I have configured snort but I need to enable detection rules in snort rule
> file. I am walking through the CEH lab and I am stuck at enabling ICMP rule.
> I have the file icmp-info.rules in C:\Snort\rules. I only see this when I
> open the file:
>
> # Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved.
> #
> # This file contains (i) proprietary rules that were created, tested and
> certified by
> # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under
> the    VRT
> # Certified Rules License Agreement (v 2.0), and (ii) rules that were
> created by
> # Sourcefire and other third parties (the "GPL Rules") that are distributed
> under the
> # GNU General Public License (GPL), v2.
> #
> # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were
> created
> # by Sourcefire and other third parties. The GPL Rules created by Sourcefire
> are
> # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are
> owned by
> # their respective creators. Please see
> http://www.snort.org/snort/snort-team/ for a
> # list of third party owners and their respective copyrights.
> #
> # In order to determine what rules are VRT Certified Rules or GPL Rules,
> please refer
> # to the VRT Certified Rules License Agreement (v2.0).
> #
> #-----------------
> # ICMP-INFO RULES
> #-----------------
>
> I am supposed to uncomment an alert in the file which should contain lots of
> alerts commented out. but mine doesn't seem to have that content.
> What can I do in this phase ?
>
> Regards,
> Diego
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
http://uk.linkedin.com/in/jamieriden




More information about the Snort-sigs mailing list