Netop defaults to port 6502 but can be configured for any port. I have
2000000 || Netop Remote Control Usage || url,www.netop.com in the
sid-msg.map and have SIGHUP'd snort cleared out the alert in acid and
opened up netop again but still no difference just Snort Alert on the
acid page.
-----Original Message-----
From: David Lowless [mailto:dlowless@nildram.co.uk]
Sent: Friday, December 17, 2004 2:06 PM
To: Lance Boon
Subject: Re: [Snort-sigs] First attempt at writing a sig
You need to update /path/to/rules/sid-msg.map
Also can netop use any port? if not the second "any" in the rule will
help
stop false postives.
hope that helps you.
Dave
----- Original Message -----
From: "Lance Boon" <lboon@firststatebanksw.com>
To: <snort-sigs@lists.sourceforge.net>
Sent: Friday, December 17, 2004 8:03 PM
Subject: [Snort-sigs] First attempt at writing a sig
This is my first attempt at writing a sig and wondered if anybody had
any pointers. I got a pcap of a netop session to 2 different systems,
ran it through snort and noticed that the content was the same on in
one
particular packet. So I wrote a rule for it, I have this working on my
network right now and haven't had any false positives yet. The only
thing that is bugging me and I'm sure that it's something that I'm
missing is that when an alert hits it doesn't read "Netop Remote
Control
Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
Usage"; content:"|554b30303736305337473130|";
reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
rev:1)
smime.p7s
Description: S/MIME cryptographic signature
