[Snort-users] querying www.snort.org/rule_docs/{REV}-{SID}

wkitty42 at windstream.net wkitty42 at windstream.net
Mon Jan 21 06:50:34 EST 2019


On 1/21/19 6:05 AM, koppfabi wrote:
> i would like to query https://www.snort.org/rule_docs/{REV}-{SID} for 
> meta-information about all the rules, in order to decide if the rule should
> be turned on or off in an environment.

isn't this meta data already available in the rules, themselves?

eg:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming 
Basic Auth Base64 HTTP Password detected unencrypted"; 
flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; 
http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: 
type both, count 1, seconds 300, track by_src; 
reference:url,doc.emergingthreats.net/bin/view/Main/2006402; 
classtype:policy-violation; sid:2006402; rev:9; metadata:created_at 2010_07_30, 
updated_at 2010_07_30;)


so in the above, we have:
- the MSG that states what the rule looks for
- the rule's flow direction, origin and destination
- content that the rule is looking for
- this rule is thresholded looking for one connection from the same source every 
five minutes
- the rule's reference url
- the rule's classification
- the rule's SID and revision
- meta data stating when the rule was created and last updated

other than what might happen to be written up at the given URL, what else are we 
looking for?

so, if this is everything being sought, it is all the available information 
after all, then scanning the rules locally would probably be more of what you 
want to do...



-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


More information about the Snort-users mailing list