Snort mailing list archives

Re: [Snort-devel] RE: [Snort-sigs] First attempt at writing a sig

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 6 Jan 2005 01:20:01 -0500

Hi Joel,

That's exactly why, it's a lot faster and more compact to just use nicelittle 32-bit ints and do all the string handling "heavy lifting" as apost process. Unified was designed with one primary driver in mind:speed. It sucks to have to manage the sid-msg.map, but it's there forperformance reasons...

I suppose if I was really cool I could have snort auto-generate thesid-msg.map file at start time based on the loaded rule set, but I'mnot that cool (at least not this week)...


     -Marty

P.S. What letters of the alphabet do we have left to use for thisone...?



On Dec 17, 2004, at 3:30 PM, Esler, Joel - Contractor wrote:

Sid-msg.map is only relevant if you are using barnyard.  Why can't we
get rid of sid-msg.map and have snort log the event name in unified?
For speed I am assuming...

Joel

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Lance Boon
Sent: Friday, December 17, 2004 3:21 PM
To: snort-sigs () lists sourceforge net
Subject: RE: [Snort-sigs] First attempt at writing a sig


Thanks for pointing that out here's the updated rule

alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000000; rev:2;)

This caught my traffic going to my remote subnets. I tried increasing
the revision # as well but to no avail so I changed the sid to 2000001


alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000001; rev:1;)

Now it's showing up in Acid correctly

-----Original Message-----
From: Matt Jonkman [mailto:matt () infotex com]
Sent: Friday, December 17, 2004 2:10 PM
To: Lance Boon
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] First attempt at writing a sig

Not a bad run for a first sig. Thanks for posting it.

Why did you go home-home net? Why not home-any? Or even any-any? I'mnot


that familiar with the tool, but I'd think the most interesting traffic
would be someone from the outside connecting to a local box.

As far as why it doesn't show right in acid, not sure. It is crafted
correctly. Try increasing the rev number and hitting it again. I wonder
if maybe the first time you had a hit the msg was empty, in which case
it won't take the new msg until the rev # increases.

I'll put this up on bleeding snort for more testing after we sort out
the reasons for the home-home.

Matt

Lance Boon wrote:

This is my first attempt at writing a sig and wondered if anybody had
any pointers. I got a pcap of a netop session to 2 different systems,
ran it through snort and noticed that the content was the same on in

one

particular packet. So I wrote a rule for it, I have this working on my
network right now and haven't had any false positives yet. The only
thing that is bugging me and I'm sure that it's something that I'm
missing is that when an alert hits it doesn't read "Netop Remote

Control

Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]

alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
Usage"; content:"|554b30303736305337473130|";
reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
rev:1)


--



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide

Read honest & candid reviews on hundreds of IT Products from realusers.

Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Snort-devel] RE: [Snort-sigs] First attempt at writing a sig Martin Roesch (Jan 05)
- Re: [Snort-devel] RE: [Snort-sigs] First attempt at writing a sig Jeff Nathan (Jan 11)