[Snort-users] New Ruleset
habu at ...1066...
Fri Mar 30 01:57:31 EST 2001
I downloaded the new ruleset released at March 28th.
Ruleset has been updated 3 times this month --
1st, 15th, 28th. (Great!)
Now I took a look at the newest ruleset, but
I'm a little confused... it is close to rule of March 1st,
rather than March 15th, except for rule genres"SQL" and "Virus".
I mean it seems that changes between March 1st and 15th
are not reflected to that of 28th.
1) In "misc.rules" file of March 1st,
there were 3 rules like that:
alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to
<1024"; flags:S; reference:arachnids,06;)
and once the port number ":1023" had changed to ":1024"
at 15th. However, the latast rule shows ":1023" again.
Which rules are really correct?
2) rules of arachnids 483,484,485 are appeared at 15th
in backdoor.rules,but they are deleted at 28th.
On the other hand, arachnids 397,398 rules are
disappeared at 15th and revived at 28th.
Are they all right?
3) 13 rules in web-misc which contains
"$EXTERNAL_NET 80 -> $HTTP_SERVERS any" are
deleted at 28th. (this topic was discussed in this mailing
list recently) Why don't you correct them instead of
4) In rservices.rules, 3 rules (rlogin failure and
two rsh login failure rules) has changed at 15th:
destination port any to 513. But they are set to any
in 28th rule again. Which is preferable?
5) "Possible Squid Scan" and "portmap listing 32771" rules
are made in scan.rules at 15th, but deleted at 28th.
Why(maybe because of false positive)?
6) In "Queso fingerprint" rule in scan.rules, the condition
"ttl: >225;" added at 15th, but deleted at 28th.
Don't you need this condition?
By the way, I also found 3 rules which seems odd.
1) in info.rules:
msg:"ICMP Unassigned! (Type 2) (Undefined Code);
there should be double quotation before semicolon. and:
msg:"ICMP Unassigned! (Tupe 1) (Undefined Code)";
there is mistyping "Tupe 1"->"Type 1"
(although this doesn't matter much)
2) In WEB-IIS WEBDAV Search DOS Attempt rule
in web-iis.rules,"reference:bugtraw,2483;" is also
mistyping of "bugtraq", I think.
More information about the Snort-users