[Snort-users] snort rules in 07272k.rules
kj at ...305...
Tue Aug 15 21:45:14 EDT 2000
I just have a few questions about snort 07272k.rules.
On line 142 it reads:
alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query";
content:"version|04|bind|0000 1000 03";)
Isn't it missing another "|" after the "03" in content?
On line 724:
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0253 -
IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;)
Should the content be "%2easp" or was the "..asp" the desired
result. I wasn't quite sure.
And just one more question. Does snort read the rules in the
order of the snort.rules? I am just wondering if I should
put the more common rules at the top or does snort order
them in a special internal way.
"The downfall of mankind will be his indifference...ah, but who cares."
More information about the Snort-users