<div dir="ltr"><div><div>it a copy n paste problem ,I have uploaded the actual file at <a href="http://www.ziddu.com/download/22073463/snort-rules.rar.html">http://www.ziddu.com/download/22073463/snort-rules.rar.html</a><br>
<br></div>pls check.<br><br></div>Ashraf<br><div><div><div><div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">
On Wed, Apr 24, 2013 at 2:21 PM, waldo kitty <span dir="ltr"><<a href="mailto:wkitty42@...14940..." target="_blank">wkitty42@...14940...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>On 4/24/2013 02:07, Ashraf Ali wrote:<br>
><br>
> Can some body  pls check ...<br>
><br>
> Below are some the rules from snort.rules file , which PP has created.<br>
><br>
</div>[trim]<br>
<div>> alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP<br>
> brightstor-arc ReserveGroup attempt"; flow:established,to_server;<br>
> dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:38; metadata:policy<br>
> balanced-ips drop, policy connectivity-ips drop, policy security-ips drop,<br>
> service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917;<br>
> reference:url,<a href="http://www.lssec.com/advisories/LS-20061001.pdf" target="_blank">www.lssec.com/advisories/LS-20061001.pdf</a><br>
</div>> <<a href="http://www.lssec.com/advisories/LS-20061001.pdf" target="_blank">http://www.lssec.com/advisories/LS-20061001.pdf</a>>;<br>
<div>> classtype:protocol-command-decode; sid:10018; rev:9;)<br>
> \d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO";<br>
> metadata:policy security-ips drop, service http; reference:bugtraq,22196;<br>
> reference:bugtraq,33469; reference:cve,2007-0018;<br>
> reference:url,<a href="http://www.kb.cert.org/vuls/id/292713" target="_blank">www.kb.cert.org/vuls/id/292713</a><br>
</div>> <<a href="http://www.kb.cert.org/vuls/id/292713" target="_blank">http://www.kb.cert.org/vuls/id/292713</a>>; classtype:attempted-user; sid:10086;<br>
> rev:10;)<br>
<br>
unless this is a bad copy'n'paste, the above looks broken... the first 8 quoted<br>
lines are from one rule but the 9th line doesn't start off properly to be a<br>
valid rule (sid 10086)...<br>
<br>
if this is a good copy'n'paste, your snort should have errored out on the above...<br>
<span><font color="#888888"><br>
--<br>
NOTE: No off-list assistance is given without prior approval.<br>
       Please keep mailing list traffic on the list unless<br>
       private contact is specifically requested and granted.<br>
</font></span><div><div><br>
------------------------------------------------------------------------------<br>
Try New Relic Now & We'll Send You this Cool Shirt<br>
New Relic is the only SaaS-based application performance monitoring service<br>
that delivers powerful full stack analytics. Optimize and monitor your<br>
browser, app, & servers with just a few lines of code. Try New Relic<br>
and get this awesome Nerd Life shirt! <a href="http://p.sf.net/sfu/newrelic_d2d_apr" target="_blank">http://p.sf.net/sfu/newrelic_d2d_apr</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
</div></div></blockquote></div><br></div></div></div></div></div></div>