124


Chapter 3     Working with Snort Rules


       Old: alert udp $EXTERNAL_NET any  > $HOME_NET 64 (msg:"TFTP Put"; 


content:"|00 02|"; offset:0; depth:2; reference:cve,CVE 1999 0183; 


reference:arachnids,148; classtype:bad unknown; sid:518; rev:3;)


       New: alert udp $EXTERNAL_NET any  > $HOME_NET 69 (msg:"TFTP Put"; 


content:"|00 02|"; offset:0; depth:2; reference:cve,CVE 1999 0183; 


reference:arachnids,148; classtype:bad unknown; sid:518; rev:3;)


[*] Non rule lines added/removed: [*]


    None.


[*] Added files: [*]


    None.


The tool gives you a detailed report of actions taken during the update process.


You can test this by deleting and modifying some rules and running the tool again. The


following is a partial output seen when Oinkmaster adds and updates some rules.


Comparing new files to the old ones... done.


[***] Results from Oinkmaster started Wed Jul 10 12:25:37 2002 [***]


[*] Rules added/removed/modified: [*]


  [+++]           Added:           [+++]


     > File "tftp.rules":


       alert udp any any  > any 69 (msg:"TFTP GET shadow"; content: "|0001|"; 


offset:0; depth:2; content:"shadow"; nocase; classtype:successful admin; 


sid:1442; rev:1;)


       alert udp any any  > any 69 (msg:"TFTP GET passwd"; content: "|0001|"; 


offset:0; depth:2; content:"passwd"; nocase; classtype:successful admin; 


sid:1443; rev:1;)


       alert udp $EXTERNAL_NET any  > $HOME_NET 69 (msg:"TFTP parent directory"; 


content:".."; reference:arachnids,137; reference:cve,CVE 1999 0183; 


classtype:bad unknown; sid:519; rev:1;)


  [///]       Modified active:     [///]


     > File "tftp.rules":


       Old: alert udp $EXTERNAL_NET any  > $HOME_NET 64 (msg:"TFTP Put"; 


content:"|00 02|"; offset:0; depth:2; reference:cve,CVE 1999 0183; 


reference:arachnids,148; classtype:bad unknown; sid:518; rev:3;)


       New: alert udp $EXTERNAL_NET any  > $HOME_NET 69 (msg:"TFTP Put"; 


content:"|00 02|"; offset:0; depth:2; reference:cve,CVE 1999 0183; 


reference:arachnids,148; classtype:bad unknown; sid:518; rev:3;)


[*] Non rule lines added/removed: [*]


    None.


[*] Added files: [*]


    None.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved