[Snort-users] Virus pattern detection

Brian bmc at ...950...
Wed Sep 26 05:58:01 EDT 2001


According to Miguel Koren O'Brien de Lacy:
> By reading the Snort User's Manual, where I see that: it seems to be
> possible to use plug-ins from:
> 
> Bugtraq http://www.securityfocus.com/bid/
>         CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=
>         Arachnids http://www.whitehats.com/info/IDS
>         McAffee http://vil.nai.com/vil/dispVirus.asp?virus_k=

No, you have that all wrong.

Those are URLs for the "sp_reference" plugin.  You can use that inside
of a signature like this.

alert tcp any any -> any any (msg:"some message"; reference:bugtraq,10;)

Then on output instead of seeing "bugtraq,10", you see
http://www.securityfocus.com/bid/10

There are 5 types of references available: Bugtraq, CVE, ArachNIDS,
McAffee, and URL.  This plugin makes the signature mantainer's life 
easier when a site changes searching criteria. 

-brian

-- 
I could dance till the cows come home.  On second thought, I'd rather
dance with the cows till you come home.
		-- Groucho Marx




More information about the Snort-users mailing list