Not a bad run for a first sig. Thanks for posting it.
Why did you go home-home net? Why not home-any? Or even any-any? I'm not
that familiar with the tool, but I'd think the most interesting traffic
would be someone from the outside connecting to a local box.
As far as why it doesn't show right in acid, not sure. It is crafted
correctly. Try increasing the rev number and hitting it again. I wonder
if maybe the first time you had a hit the msg was empty, in which case
it won't take the new msg until the rev # increases.
I'll put this up on bleeding snort for more testing after we sort out
the reasons for the home-home.
Matt
Lance Boon wrote:
This is my first attempt at writing a sig and wondered if anybody had
any pointers. I got a pcap of a netop session to 2 different systems,
ran it through snort and noticed that the content was the same on in one
particular packet. So I wrote a rule for it, I have this working on my
network right now and haven't had any false positives yet. The only
thing that is bugging me and I'm sure that it's something that I'm
missing is that when an alert hits it doesn't read "Netop Remote Control
Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
Usage"; content:"|554b30303736305337473130|";
reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
rev:1)
--
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
