Snort mailing list archives
Re: Fw: Snort Rules
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Fri, 15 Feb 2013 10:02:11 -0500
http://manual.snort.org/ should help you lots On Fri, Feb 15, 2013 at 9:49 AM, alex dina <alexander_dina () yahoo com> wrote:
I am new to writing Snort rules, is there a manual, book or URL you can recommend to brush up on this? what about the sid:4200455 in the rule? *From:* waldo kitty <wkitty42 () windstream net> *To:* snort-sigs () lists sourceforge net *Sent:* Thursday, February 14, 2013 7:24 PM *Subject:* Re: [Snort-sigs] Fw: Snort Rules On 2/14/2013 17:28, alex dina wrote:Also, can you please explain what these rule are looking for in a datapacket?Thank you! alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell"; content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha="; sid:4200455; rev:1;)what is there to explain? it is very simple... it is looking for content blocks of the following... GET / .asp?est= &hn= &ha= all must appear in the same packet... ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Fw: Snort Rules alex dina (Feb 14)
- Re: Fw: Snort Rules waldo kitty (Feb 14)
- Re: Fw: Snort Rules alex dina (Feb 15)
- Re: Fw: Snort Rules Alex McDonnell (Feb 15)
- Re: Fw: Snort Rules Ned Moran (Feb 15)
- Re: Fw: Snort Rules waldo kitty (Feb 15)
- Re: Fw: Snort Rules alex dina (Feb 15)
- <Possible follow-ups>
- Snort Rules Josh Bitto (Mar 24)
- Re: Snort Rules Joel Esler (Mar 24)
- Re: Snort Rules Mayur Patil (Mar 24)
- Re: Snort Rules Kurt Jensen CISSP (Mar 26)
- Re: Snort Rules Joel Esler (Mar 24)
- Re: Fw: Snort Rules waldo kitty (Feb 14)