[Snort-users] some policy rules missing in 1.8.7 beta5?

Michael Scheidell scheidell at ...5171...
Fri May 31 10:18:09 EDT 2002


Ok, so I don't keep up with all of these rules like I should, but updateing
for 1.86 release to 1.87beta5, looing at rule changes, I found this missing
from policy.rules, and in fact missing from any rules in 1.87beta5
distribution:
 grep -c ^alert policy.rules
7
(7 rules, one commented out.. )
in 1.8.6 policy rules:

grep -c ^alert policy.rules
30
(many of these were sent to p2p, but some seem missing)

policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO ICQ
access"
; flags: A+; content: "User-Agent\:ICQ"; resp: rst_all;
classtype:misc-activity;
 sid:541; rev:3;)

policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"INFO MSN
chat access";flags: A+; content:"text/plain"; depth:100;
classtype:misc-activity; sid:540; rev:3;)



policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO
Outbound GN
UTella client request"; flags:A+; content:"GNUTELLA OK"; depth:40; resp:
rst_all
; classtype:misc-activity; sid:558; rev:3;)
(there is a SIMILAR rule in p2p, but for inbound request)

policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Inbound
GNU
Tella client request"; flags:A+; content:"GNUTELLA CONNECT"; depth:40; resp:
rst
_all; classtype:misc-activity; sid:559; rev:3;)


a recommend adding into p2p rules?


Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...5171...
http://www.secnap.net





More information about the Snort-users mailing list