Snort mailing list archives
RE: Snort rules updated?
From: "John York" <YorkJ () brcc edu>
Date: Thu, 14 Aug 2003 13:24:02 -0400
I think the rules ARE in the current download from the snort website, both the current and stable. Look in netbios.rules, and at the bottom you should see two rules with this message: "NETBIOS DCERPC ISystemActivator bind attempt". Thanks John John York Network Engineer Blue Ridge Community College 1 College Lane, Weyers Cave, VA 24486 540.453.2255
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Christopher Lyon Sent: Thursday, August 14, 2003 3:33 AM To: CMartin () infosol com; erek () snort org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules updated? It doesn't look like the DCOM rules are in the ../dl/snortrules-current.tar.gz or in the CVS tree. I am sure they
will
get them in there but for now use what they have listed: http://www.snort.org/snort-db/sid.html?sid=2192 http://www.snort.org/snort-db/sid.html?sid=2193 BTW, if you haven't pulled Oinkmaster down yet, that is a must, very good tool for updating your sigs and to see what changes. Good luck,-----Original Message----- From: CMartin () infosol com [mailto:CMartin () infosol com] Sent: Wednesday, August 13, 2003 2:18 PM To: erek () snort org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules updated? Thanks Erek, I'll join the mailing list to keep myself up to date
on
thesigs, and I like your idea for my own signatures. But since I
missed
theemail says whether the sigs are up to date with DCOM detectionability. Iwas wondering if you can tell me if the rules are up to date? -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Wednesday, August 13, 2003 1:40 PM To: CMartin () infosol com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rules updated? On Wed, 13 Aug 2003 CMartin () infosol com wrote:Just wanted to get the word when the official rule sets getupdatedwith the rules to detect DCOM exploit as well as the worm
associated
withthe exploit (mblaster.exe). I like the idea of adding the rulemyself;however, I wouldn't mind bringing my systems up to date bydownloadingtherule sets with the new rules implemented. I'm hoping the rule
sets
thatareon the site now are updated :)Join the snort-sigs mailing list. It's been posted numerous timesoverthe last few days. And as for adding rules yourself: Create a "my.rules" and place
your
rules in there. Then whenever you auto update rules, that won't get overwritten. Be sure and add it to the include lines at the bottom
of
snort.conf. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites
including
Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rules updated? CMartin (Aug 13)
- RE: Snort rules updated? Jim Grossl (Aug 13)
- Re: Snort rules updated? Erek Adams (Aug 13)
- <Possible follow-ups>
- RE: Snort rules updated? CMartin (Aug 13)
- RE: Snort rules updated? Christopher Lyon (Aug 14)
- RE: Snort rules updated? John York (Aug 14)
- RE: Snort rules updated? Christopher Lyon (Aug 14)