Snort mailing list archives
help us help you
From: Brian <bmc () snort org>
Date: Mon, 1 Nov 2004 17:30:09 -0500
Do you find yourself wishing you could contribute to the cause without knowing where to start? Don't know how to write rules, but you wish you could help make the rules better? Here is your chance to help us help you. I'm working on cleaning up the netbios rules, and need a bit of "real world" testing. Please add these rules to your IDS installation and send me packet payload of any alerts that are generated. alert tcp any any -> any 139 (msg:"RESEARCH NETBIOS AndX stacked commands"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB((\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(?!\xff)|(\x73).{28}(?!\xff|\x75))/si";) alert tcp any any -> any 445 (msg:"RESEARCH NETBIOS AndX stacked commands"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB((\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(?!\xff)|(\x73).{28}(?!\xff|\x75))/si";) Are you in a sensitive environment and just can't get that packet payload to me? Well, I can still use your help. Run the packet payload for each alert through the attached perl script, and send me the output. Brian [0] By "packet payload", I mean the hex ascii output generated by snort, but only the payload portion. If you look at the attached script, the __DATA__ section is an example payload. When using the example payload, the script outputs the following: 73 75 FF
Attachment:
parser.pl
Description:
Current thread:
- help us help you Brian (Nov 01)
- Re: help us help you Brian (Nov 02)