Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Virus pattern detection

From: Brian <bmc () snort org>
Date: Wed, 26 Sep 2001 08:56:57 -0400
According to Miguel Koren O'Brien de Lacy:

By reading the Snort User's Manual, where I see that: it seems to be
possible to use plug-ins from:

Bugtraq http://www.securityfocus.com/bid/
        CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=
        Arachnids http://www.whitehats.com/info/IDS
        McAffee http://vil.nai.com/vil/dispVirus.asp?virus_k=


No, you have that all wrong.

Those are URLs for the "sp_reference" plugin.  You can use that inside
of a signature like this.

alert tcp any any -> any any (msg:"some message"; reference:bugtraq,10;)

Then on output instead of seeing "bugtraq,10", you see
http://www.securityfocus.com/bid/10

There are 5 types of references available: Bugtraq, CVE, ArachNIDS,
McAffee, and URL.  This plugin makes the signature mantainer's life 
easier when a site changes searching criteria. 

-brian

-- 
I could dance till the cows come home.  On second thought, I'd rather
dance with the cows till you come home.
                -- Groucho Marx

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: