RE: [Snort-sigs] Signature for "W32_Novarg_SCO_DOS"

["larosa, vjay" <larosa_vjay () emc com>]

It's the : after Host. Change it to Host|3A|

vjl

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Robert Reid
Sent: Tuesday, January 27, 2004 11:21 AM
To: Snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Signature for "W32_Novarg_SCO_DOS"

Hi list,

I found a manhunt signature for the Novarg worm/virus this morning on
symatec's site and I am trying to make it work with snort.

Im sure I am missing something simple but it refuses to load.

"alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET /
HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;)"

Any help with this would be greatly appreciated.

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Russell Fulton
Sent: Sunday, November 30, 2003 4:50 PM
To: Snort-sigs () lists sourceforge net
Subject: [Snort-sigs] some rules missing from sig-msg.map

HI      I notice that some new rules in the 'stable' distribution don't have
entries in the sig-msg.map which causes minor problems for those using the
unified output.

sids that I am aware of are 2229 and 2253, there may be others but they are
not getting triggered by the traffic I see...

--
Russell Fulton, Network Security Officer, The University of Auckland, New
Zealand.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users