Snort mailing list archives
large updates to signatures
From: Brian <bmc () snort org>
Date: Wed, 13 Feb 2002 09:15:27 -0500
In case you are not subscribed to snort-cvs, We've made a large number of changes to the signatures in the last few days. If you are subscribed, ignore this. For everyone else, here is a quick update. We are adding references and other signature updates as people submit documentation for the snort signature database (And a great big thanks to everyone that has been doing that, keep up the good work). We have removed many of the offset/depths from the MSSQL signatures and added its ports to the default list of stream4 decoders. Since we do not have an instance of MSSQL, it is hard to verify where in a stream some of the potentially bad functions can be placed, we've decided to check the entire stream. (Thanks Chris Green for pointing that out). Thanks to Jon Hart and Chris Green, we've added a number of SNMP signatures that should help in your quest to catch evil doers. A new feature that will be released in 1.8.4 named "" allows us to detect which direction a signature supposed to be looking for. For example, if you have: alert ... (msg:"BLAH"; content:"BLAH"; to_server;) Snort would only alert if the client was sending BLAH to the server. This will allow us to remove yet another layer of false positives by only looking for attacks in the direction they are supposed to be traveling. The syntax may change, but the outcome will be the same. For those using snort-current, the signatures will start using this feature soon. Look for it in a CVS update near you. -brian -- Quidquid latine dictum sit, altum viditur. (Whatever is said in Latin sounds profound.) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- large updates to signatures Brian (Feb 13)