Re: Fw: Snort Rules

[waldo kitty <wkitty42 () windstream net>]

On 2/15/2013 09:49, alex dina wrote:
> I am new to writing Snort rules,

okay...

> is there a manual, book or URL you can recommend to brush up on this?

others have responded with what i would also point to... snort rules are not 
that hard to decipher ;)

> what about the sid:4200455 in the rule?

that is simply an ID number... they can change when one submits their rules to 
those who may publish them... it is just a number which is used to correlate the 
alerts generated by it... outside of that, it really doesn't mean all that much...

> *From:* waldo kitty <wkitty42 () windstream net>
> *To:* snort-sigs () lists sourceforge net
> *Sent:* Thursday, February 14, 2013 7:24 PM
> *Subject:* Re: [Snort-sigs] Fw: Snort Rules
>
> On 2/14/2013 17:28, alex dina wrote:
>  > Also, can you please explain what these rule are looking for in a data packet?
>  > Thank you!
>  >
>  > alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
>  > content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
>  > sid:4200455; rev:1;)
>
>
> what is there to explain? it is very simple... it is looking for content blocks
> of the following...
>
> GET /
> .asp?est=
> &hn=
> &ha=
>
> all must appear in the same packet...



------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!