[Snort-users] Virus pattern detection
bmc at ...950...
Wed Sep 26 05:58:01 EDT 2001
According to Miguel Koren O'Brien de Lacy:
> By reading the Snort User's Manual, where I see that: it seems to be
> possible to use plug-ins from:
> Bugtraq http://www.securityfocus.com/bid/
> CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=
> Arachnids http://www.whitehats.com/info/IDS
> McAffee http://vil.nai.com/vil/dispVirus.asp?virus_k=
No, you have that all wrong.
Those are URLs for the "sp_reference" plugin. You can use that inside
of a signature like this.
alert tcp any any -> any any (msg:"some message"; reference:bugtraq,10;)
Then on output instead of seeing "bugtraq,10", you see
There are 5 types of references available: Bugtraq, CVE, ArachNIDS,
McAffee, and URL. This plugin makes the signature mantainer's life
easier when a site changes searching criteria.
I could dance till the cows come home. On second thought, I'd rather
dance with the cows till you come home.
-- Groucho Marx
More information about the Snort-users