[Snort-users] snort rules in 07272k.rules

Jim Forster jforster at ...176...
Wed Aug 16 10:16:27 EDT 2000


Looks like you caught two errors!  :)
I'll change those before the updated ruleset release later today. - Much
appreciated!
Also - for anyone that can test/verify the following new rules, I'd
appreciate hearing what you find.

Steve Shockley sent----
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"Inbound GNUTella Connect
request"; content: "GNUTELLA CONNECT"; nocase; depth: 40;)
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"Inbound GNUTella Connect
accept"; content: "GNUTELLA OK"; nocase; depth: 40;)
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"Outbound GNUTella Connect
request"; content: "GNUTELLA CONNECT"; nocase; depth: 40;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"Outbound GNUTella Connect
accept"; content: "GNUTELLA OK"; nocase; depth: 40;)

Jim Forster
Network Administrator
RapidNet / DakotaConnect

When I'm feeling down, I like to whistle.
It makes the neighbor's dog run to the end of his chain and gag himself.
----- Original Message -----
From: "kj" <kj at ...305...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, August 15, 2000 7:45 PM
Subject: [Snort-users] snort rules in 07272k.rules


> I just have a few questions about snort 07272k.rules.
>
> On line 142 it reads:
>
> alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query";
> content:"version|04|bind|0000 1000 03";)
>
> Isn't it missing another "|" after the "03" in content?
>
>
> On line 724:
>
> alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0253 -
> IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;)
>
> Should the content be "%2easp" or was the "..asp" the desired
> result. I wasn't quite sure.
>
> And just one more question. Does snort read the rules in the
> order of the snort.rules? I am just wondering if I should
> put the more common rules at the top or does snort order
> them in a special internal way.
>
> Thanks,
>
> K.J.
>
> --
>
> "The downfall of mankind will be his indifference...ah, but who cares."
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list