[Snort-users] rules-db.pl try 2

Victor Barahona victor.barahona at ...700...
Wed Jan 10 14:10:38 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 10 January 2001 19:27, Chris Green wrote:
>Victor Barahona <victor.barahona at ...700...> writes:
>> There is a little problem: all the rules are in one line. I will be
>> bette= to add a carriage return.
>
>Your patch adds
>
>     $rules .="$_\n";
>
>This makes all the rules with one line of whitespace between them.  I
>don't chomp the lines so there is still the newline from the original
>cgi output.

Well something is going wrong then because thats what I get:

[root at ...701... barahona]# ./rules-db.pl
Snort Rules Additions since 01/01/2001:

alert tcp any any -> any 7597 (msg:"BACKDOOR SIGNATURE - LURHQ-03 - QAZ 
Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 
73 71|";) alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - 
SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; 
content:"acidphreak"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"BETA - RETR 1MB - possible warez site"; flags:PA; content:"RETR 
1MB"; nocase; depth: 8;) alert icmp $EXTERNAL_NET any -> $HOME_NET any 
(msg:"BETA - PING Speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; 
itype: 8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "NICK 
"; flags: AP; msg:"BETA - Possible IRC Access";) alert tcp $HOME_NET any 
- -> $EXTERNAL_NET any (content: "User-Agent\:ICQ"; flags:AP; msg: "BETA - 
ICQ 2000 Access";) alert icmp $EXTERNAL_NET any -> $HOME_NET any
[much more]

I'm using RedHat 7, perl 5.6.0. What's happend? I don't know but I need 
add the newline at the end.

[root at ...701... barahona]# ./rules-db.pl.patch

Snort Rules Additions since 01/01/2001:

alert tcp any any -> any 7597 (msg:"BACKDOOR SIGNATURE - LURHQ-03 - QAZ 
Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 
73 71|";) alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - 
SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; 
content:"acidphreak"; nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - RETR 1MB - 
possible warez site"; flags:PA; content:"RETR 1MB"; nocase; depth: 8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - PING Speedera"; 
content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "NICK "; flags: AP; 
msg:"BETA - Possible IRC Access";)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "User-Agent\:ICQ"; 
flags:AP; msg: "BETA - ICQ 2000 Access";)
[much more]


>To test what output looks like, set
>
>my $days_ago = 9;

That was my first try but when I saw the "monster line" I try to fix it.

I don't know if this is happening just to me.

Cheers

- -- 
"Alone? you are not alone, Bigbrother is watching you"

- ------------------------------------------------------------------------
Soporte Seguridad en red........................http://www.utc.uam.es/ss
Unidad Tecnica de Comunicaciones...................http://www.utc.uam.es
Universidad Autonoma de Madrid.........................http://www.uam.es
Tlf.- 91 397 5525                                      PGP ID-0x8750AB79
- ------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOlyzrkoW8ByHUKt5EQL8zwCfan6bM4SbqTGFQwzQz8GmGn5xnggAoKEa
155KjE21VHZz56tHn+CrQ9XH
=Z/pI
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list