Re: [Snort-sigs] creating new sigs [newbie]

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Sat Apr 05 2003 - 12:07:14 EST

for testing use SID's of 1000000 (one million) or higher, which are reserved for local use. Make sure that no two rules have the same SID (1 million and higher will not be in the default ruleset, so you only need to make sure you don't collide with your own rules).

Also you should look at the rules in web-iis.rules. There are two generic ".ida" access signatures in there already. While not code-red specific, code red should trigger them.

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; classtype:web-application-attack; reference:bugtraq,1065; reference:cve,CAN-2000-0071; sid:1243; rev:8;) web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flow:to_server,established; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1242; rev:6;)

At 07:33 AM 4/5/2003 -0600, you wrote:
>I am a newbie to snort.

---

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Sat Apr 5 12:38:55 2003