Comments on: The Tao of Signature Writing – Part 4 http://sign.kaffenews.com/?p=71 Blogging the Science of Signature Analysis Mon, 05 Apr 2010 20:03:06 +0000 hourly 1 By: Signature Analytics » Blog Archive » The Tao of Signature Writing … | InfoSec Resources http://sign.kaffenews.com/?p=71&cpage=1#comment-126 Signature Analytics » Blog Archive » The Tao of Signature Writing … | InfoSec Resources Mon, 05 Apr 2010 20:03:06 +0000 http://sign.kaffenews.com/?p=71#comment-126 [...] more from the original source: Signature Analytics » Blog Archive » The Tao of Signature Writing … AKPC_IDS += "563,";Popularity: unranked [...] [...] more from the original source: Signature Analytics » Blog Archive » The Tao of Signature Writing … AKPC_IDS += "563,";Popularity: unranked [...]

]]> By: fimz http://sign.kaffenews.com/?p=71&cpage=1#comment-124 fimz Sat, 27 Mar 2010 01:24:17 +0000 http://sign.kaffenews.com/?p=71#comment-124 Hi, Great article. This has however raised a question in my mind, rather confusion. Ive seen the terms snort rules and snort signatures being used interchangeably across many texts. I would really like to know which is which. e.g. which heading would the rule below come under: Snort Rule example or Snort Signature Example: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 0 1|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; sid:2003; rev:2;) Comments, help, pointers appreciated? Im sure there are others who have came across the same controversy. Thanks, fimz Hi,

Great article. This has however raised a question in my mind, rather confusion.

Ive seen the terms snort rules and snort signatures being used interchangeably across many texts. I would really like to know which is which. e.g.
which heading would the rule below come under:

Snort Rule example or Snort Signature Example:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:”MS-SQL Worm propagation attempt”; content:”|04|”; depth:1; content:”|81 F1 03 01 04 9B 81 F1 0 1|”; content:”sock”; content:”send”; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; sid:2003; rev:2;)

Comments, help, pointers appreciated? Im sure there are others who have came across the same controversy.

Thanks, fimz

]]> By: Signature Analyst http://sign.kaffenews.com/?p=71&cpage=1#comment-8 Signature Analyst Tue, 23 Feb 2010 00:49:35 +0000 http://sign.kaffenews.com/?p=71#comment-8 It is great review & response to be honest. I have never gotten such a granular response. Definitely something to learn from... Thank you Joel. It is great review & response to be honest. I have never gotten such a granular response. Definitely something to learn from… Thank you Joel.

]]> By: Joel Esler http://sign.kaffenews.com/?p=71&cpage=1#comment-7 Joel Esler Tue, 23 Feb 2010 00:42:14 +0000 http://sign.kaffenews.com/?p=71#comment-7 http://blog.joelesler.net/2010/02/writing-snort-rules-is-harder-than-it-looks.html Just some constructive feedback. I'm not trying to offend. http://blog.joelesler.net/2010/02/writing-snort-rules-is-harder-than-it-looks.html

Just some constructive feedback. I’m not trying to offend.

]]> By: Writing Snort Rules is harder than it looks | Finshake http://sign.kaffenews.com/?p=71&cpage=1#comment-6 Writing Snort Rules is harder than it looks | Finshake Tue, 23 Feb 2010 00:41:53 +0000 http://sign.kaffenews.com/?p=71#comment-6 [...] noticed this post today over at the “Tao of Signature Writing” blog, and to be honest I glanced over most [...] [...] noticed this post today over at the “Tao of Signature Writing” blog, and to be honest I glanced over most [...]

]]>