[Snort-users] snort 1.8 changes - priorities & whatnot

Brian Caswell bmc at ...312...
Tue Apr 17 02:24:38 EDT 2001


Just a bit of warning, there are a number of changes that will be coming with
snort 1.8.  I have added rule classifications and priorities to snort 1.8
(with huge amounts of help from Andrew B. and Marty).  I have added a
classification to over 700 rules (available via CVS).

See below for an example how it works.  If you have any further questions,
feel free to e-mail myself or the snort-devel mailing list.

The following rules:
----
config classification: attempted-recon,Attempted Information Leak,3

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI phf access"; \
flags: A+; uricontent:"/phf";flags: A+; nocase; reference:arachnids,128;   \
reference:cve,CVE-1999-0067;  classtype:attempted-recon;)
----

Gives the output of:

[**] WEB-CGI phf access [**]
[Classification: Attempted Information Leak] [Priority: 3]
04/17-02:04:33.861311 192.168.5.2:27257 -> 192.168.0.1:80
TCP TTL:64 TOS:0x0 ID:25894 IpLen:20 DgmLen:69 DF
***AP*** Seq: 0x48584C02  Ack: 0x394F8C32  Win: 0x43E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 705159029 517149464
[Xref => http://www.whitehats.com/info/128]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0067]

For more examples, please check
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/classification.config?rev=1.3

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list