[Snort-users] snort rules in 07272k.rules

kj kj at ...305...
Tue Aug 15 21:45:14 EDT 2000


I just have a few questions about snort 07272k.rules.

On line 142 it reads:

alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query"; 
content:"version|04|bind|0000 1000 03";)

Isn't it missing another "|" after the "03" in content?


On line 724:

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0253 - 
IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;)

Should the content be "%2easp" or was the "..asp" the desired
result. I wasn't quite sure.

And just one more question. Does snort read the rules in the
order of the snort.rules? I am just wondering if I should
put the more common rules at the top or does snort order
them in a special internal way.

Thanks,

K.J.

-- 

"The downfall of mankind will be his indifference...ah, but who cares."





More information about the Snort-users mailing list