[Snort-users] large updates to signatures

Brian bmc at ...950...
Wed Feb 13 07:09:22 EST 2002


In case you are not subscribed to snort-cvs, We've made a large number
of changes to the signatures in the last few days.  If you are
subscribed, ignore this.  For everyone else, here is a quick update.

We are adding references and other signature updates as people submit 
documentation for the snort signature database (And a great big thanks 
to everyone that has been doing that, keep up the good work).  

We have removed many of the offset/depths from the MSSQL signatures
and added its ports to the default list of stream4 decoders.  Since
we do not have an instance of MSSQL, it is hard to verify where in a
stream some of the potentially bad functions can be placed, we've
decided to check the entire stream.  (Thanks Chris Green for pointing 
that out).

Thanks to Jon Hart and Chris Green, we've added a number of SNMP
signatures that should help in your quest to catch evil doers.

A new feature that will be released in 1.8.4 named "" allows us to
detect which direction a signature supposed to be looking for.  For
example, if you have:

   alert ... (msg:"BLAH"; content:"BLAH"; to_server;)

Snort would only alert if the client was sending BLAH to the server.
This will allow us to remove yet another layer of false positives by
only looking for attacks in the direction they are supposed to be
traveling.  The syntax may change, but the outcome will be the same.

For those using snort-current, the signatures will start using this
feature soon.  Look for it in a CVS update near you.

-brian

-- 
Quidquid latine dictum sit, altum viditur.
(Whatever is said in Latin sounds profound.)





More information about the Snort-users mailing list