RE: [Snort-sigs] First attempt at writing a sig

["Esler, Joel - Contractor" <joel.esler () rcert-s army mil>]

Sid-msg.map is only relevant if you are using barnyard.  Why can't we
get rid of sid-msg.map and have snort log the event name in unified?
For speed I am assuming...

Joel

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Lance Boon
Sent: Friday, December 17, 2004 3:21 PM
To: snort-sigs () lists sourceforge net
Subject: RE: [Snort-sigs] First attempt at writing a sig


Thanks for pointing that out here's the updated rule

alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000000; rev:2;)

This caught my traffic going to my remote subnets. I tried increasing
the revision # as well but to no avail so I changed the sid to 2000001


alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000001; rev:1;)

Now it's showing up in Acid correctly

-----Original Message-----
From: Matt Jonkman [mailto:matt () infotex com] 
Sent: Friday, December 17, 2004 2:10 PM
To: Lance Boon
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] First attempt at writing a sig

Not a bad run for a first sig. Thanks for posting it.

Why did you go home-home net? Why not home-any? Or even any-any? I'm not

that familiar with the tool, but I'd think the most interesting traffic 
would be someone from the outside connecting to a local box.

As far as why it doesn't show right in acid, not sure. It is crafted 
correctly. Try increasing the rev number and hitting it again. I wonder 
if maybe the first time you had a hit the msg was empty, in which case 
it won't take the new msg until the rev # increases.

I'll put this up on bleeding snort for more testing after we sort out 
the reasons for the home-home.

Matt

Lance Boon wrote:

> This is my first attempt at writing a sig and wondered if anybody had 
> any pointers. I got a pcap of a netop session to 2 different systems, 
> ran it through snort and noticed that the content was the same on in
one
> particular packet. So I wrote a rule for it, I have this working on my 
> network right now and haven't had any false positives yet. The only 
> thing that is bugging me and I'm sure that it's something that I'm 
> missing is that when an alert hits it doesn't read "Netop Remote
Control
> Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
>
> alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control 
> Usage"; content:"|554b30303736305337473130|";
> reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
> rev:1)
>  

-- 



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users