Snort mailing list archives
RE: Snort rules updated?
From: "Christopher Lyon" <cslyon () netsvcs com>
Date: Thu, 14 Aug 2003 18:07:29 -0700
Ah yes, I see them not. Funny, they weren't up there a few days ago. Thanks for pointing that out!
-----Original Message----- From: John York [mailto:YorkJ () brcc edu] Sent: Thursday, August 14, 2003 10:24 AM To: Christopher Lyon; CMartin () infosol com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules updated? I think the rules ARE in the current download from the snort website, both the current and stable. Look in netbios.rules, and at the bottom you should see two rules with this message: "NETBIOS DCERPC ISystemActivator bind attempt". Thanks John John York Network Engineer Blue Ridge Community College 1 College Lane, Weyers Cave, VA 24486 540.453.2255-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Christopher Lyon Sent: Thursday, August 14, 2003 3:33 AM To: CMartin () infosol com; erek () snort org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules updated? It doesn't look like the DCOM rules are in the ../dl/snortrules-current.tar.gz or in the CVS tree. I am sure theywillget them in there but for now use what they have listed: http://www.snort.org/snort-db/sid.html?sid=2192 http://www.snort.org/snort-db/sid.html?sid=2193 BTW, if you haven't pulled Oinkmaster down yet, that is a must, very good tool for updating your sigs and to see what changes. Good luck,-----Original Message----- From: CMartin () infosol com [mailto:CMartin () infosol com] Sent: Wednesday, August 13, 2003 2:18 PM To: erek () snort org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules updated? Thanks Erek, I'll join the mailing list to keep myself up to dateonthesigs, and I like your idea for my own signatures. But since Imissedtheemail says whether the sigs are up to date with DCOM detectionability. Iwas wondering if you can tell me if the rules are up to date? -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Wednesday, August 13, 2003 1:40 PM To: CMartin () infosol com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rules updated? On Wed, 13 Aug 2003 CMartin () infosol com wrote:Just wanted to get the word when the official rule sets
get
updatedwith the rules to detect DCOM exploit as well as the wormassociatedwiththe exploit (mblaster.exe). I like the idea of adding the rulemyself;however, I wouldn't mind bringing my systems up to date bydownloadingtherule sets with the new rules implemented. I'm hoping the rulesetsthatareon the site now are updated :)Join the snort-sigs mailing list. It's been posted numerous timesoverthe last few days. And as for adding rules yourself: Create a "my.rules" and placeyourrules in there. Then whenever you auto update rules, that won't
get
overwritten. Be sure and add it to the include lines at the
bottom
ofsnort.conf. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sitesincludingData Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rules updated? CMartin (Aug 13)
- RE: Snort rules updated? Jim Grossl (Aug 13)
- Re: Snort rules updated? Erek Adams (Aug 13)
- <Possible follow-ups>
- RE: Snort rules updated? CMartin (Aug 13)
- RE: Snort rules updated? Christopher Lyon (Aug 14)
- RE: Snort rules updated? John York (Aug 14)
- RE: Snort rules updated? Christopher Lyon (Aug 14)