|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] RE: [Snort-sigs] Signature for "W32_Novarg_SCO_DOS"
From: larosa, vjay (larosa_vjay
emc.com)
Date: Tue Jan 27 2004 - 20:08:50 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It's the : after Host. Change it to Host|3A|
vjl
-----Original Message-----
From: snort-sigs-adminlists.sourceforge.net
[mailto:snort-sigs-adminlists.sourceforge.net] On Behalf Of Robert Reid
Sent: Tuesday, January 27, 2004 11:21 AM
To: Snort-sigslists.sourceforge.net
Subject: [Snort-sigs] Signature for "W32_Novarg_SCO_DOS"
Hi list,
I found a manhunt signature for the Novarg worm/virus this morning on
symatec's site and I am trying to make it work with snort.
Im sure I am missing something simple but it refuses to load.
"alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET /
HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;)"
Any help with this would be greatly appreciated.
-----Original Message-----
From: snort-sigs-adminlists.sourceforge.net
[mailto:snort-sigs-adminlists.sourceforge.net] On Behalf Of Russell Fulton
Sent: Sunday, November 30, 2003 4:50 PM
To: Snort-sigslists.sourceforge.net
Subject: [Snort-sigs] some rules missing from sig-msg.map
HI I notice that some new rules in the 'stable' distribution don't have
entries in the sig-msg.map which causes minor problems for those using the
unified output.
sids that I am aware of are 2229 and 2253, there may be others but they are
not getting triggered by the traffic I see...
--
Russell Fulton, Network Security Officer, The University of Auckland, New
Zealand.
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-sigs mailing list
Snort-sigslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]