Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule categories

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 4 Jan 2012 10:10:07 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all, and a Happy New Year.

I'm trying to rationalise and tidy up some of my use of multiple (VRT,
ET) rulesets. In the process I'm trying to get a handle on different
rule categories.

Taking 3 arbitrary recently modified examples:

13470 - EXPLOIT Microsoft Office Publisher memory corruption attempt
(exploit.rules)
13865 - WEB-CLIENT Adobe BMP image handler buffer overflow attempt
(web-client.rules)
15993 - SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count
integer overflow attempt (specific-threats.rules)

- - all of the above SIDs are for external web-based traffic (i.e.
$EXTERNAL_NET $HTTP_PORTS -> $HOME_NET) and are all classification
'attempted-user' but what makes for one rule being in one file and one
in another?

Thanks - just wondering with my post-Xmas befuddled brain.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPBCV/AAoJELhVoVpEMS6RMtAIAIhQH7jQeovmthfMDcoetI2A
Sw1GiBL/7p1naJZskFF4VJg+XbLh0/DMewZW77jGx5/dnTaprGg+LJRv3KOZaApQ
YtekZyDT6XNkfrgtL5bWEnFly4X5pYMrk8/DZ2ld/qMB8Il1qiI+DgHt1IPGn+2r
rgsJc1WOIPwhCOLJS5ks2Zwg7rFv0p4NQtbwTeZ8lMi9zLQ5wiVDQNmjW1xFmQBj
OHBh8EUSz02+wUMTIIh40EbvZfFjYwXae42YLNY09gyQkZAsMwdlCmYaw0O6vO6R
+Ku80Be5voPYqPXcr4ce5FHEvmhXoRE/Ch63yeK9voc7NJlb676FGYv6yhzWG8Y=
=uFzx
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: