Snort mailing list archives
Re: Virus pattern detection
From: Brian <bmc () snort org>
Date: Wed, 26 Sep 2001 08:56:57 -0400
According to Miguel Koren O'Brien de Lacy:
By reading the Snort User's Manual, where I see that: it seems to be possible to use plug-ins from: Bugtraq http://www.securityfocus.com/bid/ CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name= Arachnids http://www.whitehats.com/info/IDS McAffee http://vil.nai.com/vil/dispVirus.asp?virus_k=
No, you have that all wrong. Those are URLs for the "sp_reference" plugin. You can use that inside of a signature like this. alert tcp any any -> any any (msg:"some message"; reference:bugtraq,10;) Then on output instead of seeing "bugtraq,10", you see http://www.securityfocus.com/bid/10 There are 5 types of references available: Bugtraq, CVE, ArachNIDS, McAffee, and URL. This plugin makes the signature mantainer's life easier when a site changes searching criteria. -brian -- I could dance till the cows come home. On second thought, I'd rather dance with the cows till you come home. -- Groucho Marx _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Virus pattern detection Miguel Koren O'Brien de Lacy (Sep 25)
- Re: Virus pattern detection Brian (Sep 26)