[Snort-users] snort rules in 07272k.rules

Tue Aug 15 21:45:14 EDT 2000

I just have a few questions about snort 07272k.rules.

On line 142 it reads:

alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query"; 
content:"version|04|bind|0000 1000 03";)

Isn't it missing another "|" after the "03" in content?

On line 724:

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0253 - 
IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;)

Should the content be "%2easp" or was the "..asp" the desired
result. I wasn't quite sure.

And just one more question. Does snort read the rules in the
order of the snort.rules? I am just wondering if I should
put the more common rules at the top or does snort order
them in a special internal way.




"The downfall of mankind will be his indifference...ah, but who cares."

