[Snort-sigs] Snort Rules Enquiry

Joel Esler (jesler) jesler at ...3865...
Tue May 26 18:10:38 EDT 2015


icmp-info.rules should be empty.

Imp rules have transitioned to the protocol-icmp.rules category.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group


On May 26, 2015, at 2:40 AM, Jamie Riden <jamie.riden at ...2420...<mailto:jamie.riden at ...2420...>> wrote:

There should be some content that looks like this - not this itself, I
stole it from fwsnort - but you get the general idea.

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router
advertisement"; itype:9; reference:arachnids,173;
reference:bugtraq,578; reference:cve,1999-0875;
classtype:misc-activity; sid:363; rev:7;)

Obviously, uncommenting it is left as an (easy) excercise for the
reader. If 2973 seems to be empty, try grabbing an older version.

cheers,
Jamie

On 26 May 2015 at 06:16, Diego Batigoal <diegobatigoal at ...3718...<mailto:diegobatigoal at ...3718...>> wrote:
Hi,
Just got stuck in the setup of the pdf CEH Lab Manual Page 860-861.
I have downloaded the Snort 2973 and also downloaded the
snortrules-snapshot-2973.tar rules but the rules all seem to be empty
containing just the copyright information.

I have configured snort but I need to enable detection rules in snort rule
file. I am walking through the CEH lab and I am stuck at enabling ICMP rule.
I have the file icmp-info.rules in C:\Snort\rules. I only see this when I
open the file:

# Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and
certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under
the    VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were
created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed
under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were
created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire
are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are
owned by
# their respective creators. Please see
http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules,
please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------
# ICMP-INFO RULES
#-----------------

I am supposed to uncomment an alert in the file which should contain lots of
alerts commented out. but mine doesn't seem to have that content.
What can I do in this phase ?

Regards,
Diego


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



--
Jamie Riden / jamie at ...3509...<mailto:jamie at ...3509...> / jamie.riden at ...3371...20...<mailto:jamie.riden at ...2420...>
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150526/793d8295/attachment.html>


More information about the Snort-sigs mailing list