Wednesday, December 14, 2016

Documentation-less Snort Rules

Has anybody else noticed that what seems like the majority of new snort rules that come out and you can use in an IDS (intrusion detection systems) like Sourcefire don't have any documentation? You're stuck with

Summary: This rule does not have documentation

Or if you're lucky some link to a virus total page with no other explanation.

Well I thought it might be interesting to try to collect some brief links or documentation around some documentation-less snort rules. I did not write the rules, I have no insight into who did or why they did. I did not write the documentation either, I simply collected the information and put it in a spot where maybe if you're lucky and google searching why a snort rule fired and what it means, then I was just hoping this documentation would be helpful for you. Enjoy.

Sample initial documentation I put together for the documentation-less:
- SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt 41018 41019
- MALWARE-CNC Linux.DDoS.D93 outbound connection 40991
- SERVER-WEBAPP Oracle Weblogic default credentials login attempt 40905 40905
- MALWARE-CNC Win.Malware.Disttrack variant outbound connection 40906
- MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt 40910
- MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt 40911
- MALWARE-OTHER Win.Trojan.Flokibot variant download attempt 40912 40913

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment