I want to thank everyone that responded to this thread your insight and
suggestions are greatly appreciated.
Thanks
Lance
-----Original Message-----
From: Matt Jonkman [mailto:matt@infotex.com]
Sent: Friday, December 17, 2004 2:40 PM
To: Lance Boon
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] First attempt at writing a sig
Looks good now. I'll post this to bleedings snort and we'll see what
other feedback comes of it.
Matt
Lance Boon wrote:
Thanks for pointing that out here's the updated rule
alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000000; rev:2;)
This caught my traffic going to my remote subnets. I tried increasing
the revision # as well but to no avail so I changed the sid to 2000001
alert udp any any -> any any (msg:"Netop Remote Control Usage";
content:"|554b30303736305337473130|"; reference:url,www.netop.com;
classtype:policy-violation; sid:2000001; rev:1;)
Now it's showing up in Acid correctly
-----Original Message-----
From: Matt Jonkman [mailto:matt@infotex.com]
Sent: Friday, December 17, 2004 2:10 PM
To: Lance Boon
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] First attempt at writing a sig
Not a bad run for a first sig. Thanks for posting it.
Why did you go home-home net? Why not home-any? Or even any-any? I'm
not
that familiar with the tool, but I'd think the most interesting traffic
would be someone from the outside connecting to a local box.
As far as why it doesn't show right in acid, not sure. It is crafted
correctly. Try increasing the rev number and hitting it again. I wonder
if maybe the first time you had a hit the msg was empty, in which case
it won't take the new msg until the rev # increases.
I'll put this up on bleeding snort for more testing after we sort out
the reasons for the home-home.
Matt
smime.p7s
Description: S/MIME cryptographic signature
