Re: snort rules....

["Shawn Truax" <Shawn.Truax () mbs gov on ca>]

You can find all information about how snort rules work in the snort manual (http://www.snort.org/docs/writing_rules/)  
It does a much better job than I could trying to explain things.  The basics however are where the packet is coming 
from where its going and what is contained within it.  As for what a rule does the best descriptions are in the snort 
rule database (http://www.snort.org/cgi-bin/done.cgi)  Each rule will have a description and reference links to more 
information.  The reference links will give you to detailed descriptions on the particulars security issue and even 
provide further reference links.  This should get you everything you need, again in greater detail that anything I 
could write.

You may come across rules that don't have any description.  In your case the first rule below doesn't have a complete 
entry in the snort database.  What I usually do in this case is google the msg field "TELNET Solaris memory 
mismanagement exploit attempt" to see if I can find any information. (Often you will need to refine your search some.)  
If you still can't get anywhere try the Snort Sigs Mailing list.  I wish I could help you more but I often have trouble 
with the limited number of rules I see on a daily basis. Usually I end up researching one or two new rules a week.  The 
key though is to try and reduce the number of false positives you get giving you more time to deal with the real 
problems.

Shawn

> > > "f z" <freezc101 () yahoo com> 10/25/03 11:38pm >>>

thank's shawn...:)

can you teach me how to read/understand this set of
rules...because i have to present it to my friend and
my project supervisor....specially on the "msg"....


alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23
(msg:"TELNET Solaris memory mismanagement exploit
attempt"; flow:to_server,established; content:"|A0 23
A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90 25 E0|";
classtype:shellcode-detect; sid:1430; rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP
CEL overflow attempt";flow:to_server,established;
content:"CEL "; nocase; content:!"|0a|"; within:100;
reference:bugtraq,679; reference:cve,CVE-1999-0789;
reference:arachnids,257; classtype:attempted-admin;
sid:337; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"WEB-IIS MDAC Content-Type overflow attempt";
flow:to_server,established; uricontent:"/msadcs.dll";
content:"Content-Type\:"; content:!"|0A|"; within:50;
reference:cve,CAN-2002-1142;
reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337;
classtype:web-application-attack; sid:1970; rev:1;)

thank's......





__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/