For it to show up as "Netop Remote Control Usage" in ACID you have to
add the entry to your sid-msg.map file, like this:
2000000 || Netop Remote Control Usage
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Lance Boon
Sent: Friday, December 17, 2004 3:03 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] First attempt at writing a sig
This is my first attempt at writing a sig and wondered if anybody had
any pointers. I got a pcap of a netop session to 2 different systems,
ran it through snort and noticed that the content was the same on in one
particular packet. So I wrote a rule for it, I have this working on my
network right now and haven't had any false positives yet. The only
thing that is bugging me and I'm sure that it's something that I'm
missing is that when an alert hits it doesn't read "Netop Remote Control
Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
alert udp $HOME_NET any -> $HOME_NET any (msg:"Netop Remote Control
Usage"; content:"|554b30303736305337473130|";
reference:url,www.netop.com; classtype:policy-violation; sid:2000000;
rev:1)
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
