[Snort-users] Rules from Snort don't match Arachnids?

rottz at ...1904... rottz at ...1904...
Wed Apr 25 21:14:08 EDT 2001


Tom,

Snort.org is maintained by Jim Forster
Whitehats.com is maintained by Max Vision

As far as I know (max and jim can correct me) there is NO correlation
And from what I can tell, the one from snort.org is for 1.6- and the
rule from whitehats.com is for 1.7+

Personally I would go with the one from ArachNIDs cause it was recently
updated by Max trojan-active-netmetro - Modified 2001/04/23 05:34

I would also like to take this time to ask if we can correct
"reference:arachnids,#;"
Because sp_reference.h line 32 points to
"http://www.whitehats.com/info/" which should be
"http://www.whitehats.com/info/IDS" or we will have to change the
reference tags to "reference:arachnids,IDS#;" Either will work but I
prefer to change sp_reference.h so we can cut down the space in the
rules file, because they are getting pretty BIG now a days.

Rottz
rottz at ...1904...

>Tom Jacobsen wrote:
> 
> Hi All,
> 
> Snort picked up some events based on the following rule (rulebase comes
> from snort.org).
> 
> $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming
> Traffic"; flags: A+;  refer
> ence:arachnids,79;)
> 
> To get more information on this rule, I went to www.whitehats.com to lookup
> arachnids 79.  But the database there says the snort rule should be
> 
> alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg:
> "IDS79/trojan-active-netmetro"; flags: SA;)
> 
> What's the deal?  Who should I believe.  Are there more disconnects between
> snort.org and arachnids?  The triggered events were probably harmless they
> were from EXTERNAL:5031 to WebServer:443.  Most likely innocent https traffic.
> 
> What shall I do?  Thoughts? Comments?
> 
> Thanks,
> Tom.0
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list