[Snort-users] RE: [Snort-sigs] Signature for "W32_Novarg_SCO_DOS"

permalink · #1 (**permalink**) 01-28-2004

It's the : after Host. Change it to Host|3A|

vjl

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Robert Reid
Sent: Tuesday, January 27, 2004 11:21 AM
To: Snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Signature for "W32_Novarg_SCO_DOS"

Hi list,

I found a manhunt signature for the Novarg worm/virus this morning on
symatec's site and I am trying to make it work with snort.

Im sure I am missing something simple but it refuses to load.

"alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET /
HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;)"

Any help with this would be greatly appreciated.

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Russell Fulton
Sent: Sunday, November 30, 2003 4:50 PM
To: Snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] some rules missing from sig-msg.map

HI I notice that some new rules in the 'stable' distribution don't have
entries in the sig-msg.map which causes minor problems for those using the
unified output.

sids that I am aware of are 2229 and 2253, there may be others but they are
not getting triggered by the traffic I see...

--
Russell Fulton, Network Security Officer, The University of Auckland, New
Zealand.

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode