Snort mailing list archives
How to modify the signature reference in sid-msg.map
From: "Jinqiao Yu" <jinqiaoyu () hotmail com>
Date: Sat, 31 Jan 2004 20:34:08 -0500
Hi,For whatever reason, I want to modify some signature references. For instance, in sid-msg.map
for signature 1923. The original message is as follows: 1923 || RPC portmap UDP proxy attempt Then I changed it to: 1923 || RPC portmap UDP proxy attempt || cve, CAN-2003-0028 || bugtraq, 7123 In the rpc.rules file, the original corresponding line is as follows:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UDP proxy attempt"; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:2;)
Then I changed it to:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UDP proxy attempt"; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; reference:cve,CAN-2003-0028; reference:bugtraq,7123; classtype:rpc-portmap-decode; sid:1923; rev:2;)
I did this because I want snort to give the two references wherever the signature is matched. The references will be shown at ACID also. But after I made the above changes and restart snort, I still got the same alert without any reference information.( CAN-2003-0028, bugtraq 7123). Do I need to modify any additional information? I was trying this for quite a long time and could make it. Please help me?
Thanks in advance. Victor _________________________________________________________________Learn how to choose, serve, and enjoy wine at Wine @ MSN. http://wine.msn.com/
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to modify the signature reference in sid-msg.map Jinqiao Yu (Jan 31)
- <Possible follow-ups>
- How to modify the signature reference in sid-msg.map Jinqiao Yu (Jan 31)