help us help you

[Brian <bmc () snort org>]

Do you find yourself wishing you could contribute to the cause without
knowing where to start?  Don't know how to write rules, but you wish
you could help make the rules better?

Here is your chance to help us help you.

I'm working on cleaning up the netbios rules, and need a bit of "real
world" testing.  Please add these rules to your IDS installation and
send me packet payload of any alerts that are generated.  

   alert tcp any any -> any 139 (msg:"RESEARCH NETBIOS AndX stacked commands"; flow:to_server,established; 
content:"|FF|SMB"; 
pcre:"/^\x00.{3}\xFFSMB((\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(?!\xff)|(\x73).{28}(?!\xff|\x75))/si";)
   alert tcp any any -> any 445 (msg:"RESEARCH NETBIOS AndX stacked commands"; flow:to_server,established; 
content:"|FF|SMB"; 
pcre:"/^\x00.{3}\xFFSMB((\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(?!\xff)|(\x73).{28}(?!\xff|\x75))/si";)

Are you in a sensitive environment and just can't get that packet
payload to me?  Well, I can still use your help.  Run the packet
payload for each alert through the attached perl script, and send me
the output.

Brian

[0] By "packet payload", I mean the hex ascii output generated by
    snort, but only the payload portion.  If you look at the attached
    script, the __DATA__ section is an example payload.  When using
    the example payload, the script outputs the following:

73
75
FF

Attachment: parser.pl
Description: