[Snort-users] Fwd: Snort 2.9.4.5 rules using pp

Ashraf Ali ashrafali.ibs at ...11827...
Wed Apr 24 05:27:52 EDT 2013


it a copy n paste problem ,I have uploaded the actual file at
http://www.ziddu.com/download/22073463/snort-rules.rar.html

pls check.

Ashraf




On Wed, Apr 24, 2013 at 2:21 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 4/24/2013 02:07, Ashraf Ali wrote:
> >
> > Can some body  pls check ...
> >
> > Below are some the rules from snort.rules file , which PP has created.
> >
> [trim]
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC
> NCACN-IP-TCP
> > brightstor-arc ReserveGroup attempt"; flow:established,to_server;
> > dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:38;
> metadata:policy
> > balanced-ips drop, policy connectivity-ips drop, policy security-ips
> drop,
> > service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917;
> > reference:url,www.lssec.com/advisories/LS-20061001.pdf
> > <http://www.lssec.com/advisories/LS-20061001.pdf>;
> > classtype:protocol-command-decode; sid:10018; rev:9;)
> >
> \d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO";
> > metadata:policy security-ips drop, service http; reference:bugtraq,22196;
> > reference:bugtraq,33469; reference:cve,2007-0018;
> > reference:url,www.kb.cert.org/vuls/id/292713
> > <http://www.kb.cert.org/vuls/id/292713>; classtype:attempted-user;
> sid:10086;
> > rev:10;)
>
> unless this is a bad copy'n'paste, the above looks broken... the first 8
> quoted
> lines are from one rule but the 9th line doesn't start off properly to be a
> valid rule (sid 10086)...
>
> if this is a good copy'n'paste, your snort should have errored out on the
> above...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130424/16de29d5/attachment.html>


More information about the Snort-users mailing list