security.ids.snort.sigs (date)

security.ids.snort.sigs (date)

July 30, 2004

Thank you!, Joseph Gama
Thank you!, Joseph Gama
FP on BLEEDING-EDGE Pwdump3e Password Hash Retrieval, Matt Ostiguy
sig for backdoor.krei, Graeme Rider
FPs with SID:2587 "P2P eDonkey transfer", Jason Haar

July 29, 2004

Re: Rule #2000900, Matthew Jonkman
Re: What is the & operator in byte_test for?, Matt Kettler
RE: What is the & operator in byte_test for?, Jeff Dell
Re: Rule #2000900, Ole-Martin
Re: What is the & operator in byte_test for?, Keith W. McCammon
RE: What is the & operator in byte_test for?, Jeff Dell
Re: What is the & operator in byte_test for?, Keith W. McCammon
What is the & operator in byte_test for?, Joseph Gama
http_inspect, Esler, Joel - Contractor
Colin Slevin/TRANSWARE/IE is out of the office., Colin . Slevin
JoltID, Matthew Jonkman
Re: Rule #2000900, Matthew Jonkman
Rule #2000900, Ole-Martin
suggestion, Joseph Gama

July 28, 2004

Re: Mydoom.M signatures, Hugo van der Kooij
Re: Unknown IIS Issue, Matthew Jonkman
Re: Unknown IIS Issue, Matthew Jonkman
Re: Unknown IIS Issue, Frank Knobbe
Re: Unknown IIS Issue, Frank Knobbe
Re: Mydoom.M signatures, Keith W. McCammon
Re: Mydoom.M signatures, Keith W. McCammon
Mydoom.M signatures, Roach4
RE: sigs with asn1 fails, Eric Hines
RE: sigs with asn1 fails, Eric Hines
Re: Sdbot and Spybot Worm sigs?, Keith W. McCammon
Re: sigs with asn1 fails, Matthew Jonkman
Re: sigs with asn1 fails, Keith A. Pachulski
Parasite Rules, Matthew Jonkman
Re: sigs with asn1 fails, Keith A. Pachulski
Re: sigs with asn1 fails, Brian
RE: sigs with asn1 fails, Joshua Berry
Re: sigs with asn1 fails, Brian
Re: sigs with asn1 fails, Jason
pcre fails when using ; or (, Joseph Gama
sigs with asn1 fails, Rocio Alfonso Pita
RE: rule 1497 should be fixed, Joseph Gama

July 27, 2004

IMPORTANT BLEEDING SNORT UPDATE!!, Matthew Jonkman
Parasite malware set, Matthew Jonkman
rule 1667 should be replaced, Joseph Gama
Sdbot and Spybot Worm sigs?, Raj Wurttemberg
More false negatives for 716.10 (TELNET access), nnposter
RE: Sid 1328 and 1329, Joshua Berry
asn1 rules FP?, Nerijus Krukauskas
RE: rule 1497 should be fixed, Shomiron Das Gupta [NetMonastery]
RE: Sid 1328 and 1329, Shomiron Das Gupta [NetMonastery]
rule 1497 should be fixed, Joseph Gama

July 26, 2004

Re: huge number of false positives for WEB-MISC SSLv3 invalid Client_Hello attempt?, Matthew Watchinski
Re: Re: huge number of false positives for WEB-MISC SSLv3 invalid Client_Hello attempt?, Matt Ostiguy
Re: Tagged Packet?, Jason
Re: huge number of false positives for WEB-MISC SSLv3 invalid Client_Hello attempt?, Matthew Watchinski
RE: Tagged Packet?, Esler, Joel - Contractor
Re: Tagged Packet?, Daniel Roelker
Re: Tagged Packet?, Jason Alexander
Sid 1328 and 1329, Joshua Berry
Tagged Packet?, Rowland, Krisa W ERDC-ITL-MS Contractor
huge number of false positives for WEB-MISC SSLv3 invalid Client_Hello attempt?, Matt Ostiguy
Re: rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow, Judy Novak

July 25, 2004

Re: New Malware/Spyware rules, Matthew Jonkman
Re: New Malware/Spyware rules, Jason Haar
New Malware/Spyware rules, Matthew Jonkman
Re: snort rules and -CURRENT for 2.1.3, Xram_LraK
Re: Traffic parsing order, Matthew Watchinski
More Malware rules, Matthew Jonkman

July 24, 2004

Some adware fun, Matthew Jonkman
RE: ipcop-13 "virus.rules" maintainance, Corey Rock

July 23, 2004

False positives in rule 1113, Federico Petronio

July 22, 2004

Re: rule to catch "Bargain Buddy" downloads, Matthew Jonkman
Re: Excluding the snort host from all rules?, Keith W. McCammon
rule to catch "Bargain Buddy" downloads, Miner, Jonathan W (CSC) (US SSA)
RE: snort rules and -CURRENT for 2.1.3, Rowland, Krisa W ERDC-ITL-MS Contractor
Why not to use flags:AP, Matthew Watchinski
Re: Excluding the snort host from all rules?, Matthew Watchinski
Bypassing rules with spaces in scripts, Joseph Gama

July 21, 2004

AOL Webmail rules, Matthew Jonkman
Re: Snort-sigs digest, Vol 1 #1022 - 9 msgs, Todd Smith
Re: snort rules and -CURRENT for 2.1.3, Eric Jacobsen
RE: a few more rules FALSE POS, Joseph Gama
RE: a few more rules FALSE POS - fixed, Joseph Gama
RE: a few more rules FALSE POS, Adrian Marsden
Re: rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow, Joseph Gama
sid:2578 sid 2579, Mark
Re: rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow, Matthew Jonkman
Re: new rules for Kcast ticker, Matthew Jonkman
new rules for Kcast ticker, Miner, Jonathan W (CSC) (US SSA)
Traffic parsing order, Cluett, Russell
more scan rules, Joseph Gama
Re: pwdump, l0phtcrack, hash extraction, Matthew Jonkman
VECNA scan rules, Joseph Gama
rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow, Joseph Gama
Re: Remote Anything Sig, Joseph Gama
RE: Netbios Domain Name Sig, Joseph Gama

July 20, 2004

Remote Anything Sig, Jason Alexander
RE: pwdump, l0phtcrack, hash extraction, Matt Sheridan
Re: pwdump, l0phtcrack, hash extraction, Matt Sheridan
RE: Excluding the snort host from all rules?, Harper, Patrick
Re: pwdump, l0phtcrack, hash extraction, Matthew Jonkman
Re: pwdump, l0phtcrack, hash extraction, Matthew Jonkman
RE: pwdump, l0phtcrack, hash extraction, Kreimendahl, Chad J
Re: pwdump, l0phtcrack, hash extraction, Brian
Re: Suspicious File Extensions, Matthew Jonkman
pwdump, l0phtcrack, hash extraction, Matt Sheridan
ipcop-13 "virus.rules" maintainance, Ivan Parker
rules in tgz format, no docs, Joseph Gama
Excluding the snort host from all rules?, R S
Re: Netbios Domain Name Sig, Ron Jackson
PHP-Nuke SQL injection rule, Federico Petronio
False Positive - ATTACK-RESPONSES id check returned userid, Gary Verhulp
Sig #, Ron WILSON
RE: Suspicious File Extensions, Herb Martin
Re: question about sid:2570, Richard Ullrich
a few more rules, Joseph Gama
Rules to detect netbios unauthorized access, Joseph Gama
Re: Suspicious File Extensions, Jason
Re: Suspicious File Extensions, Matthew Jonkman
Re: Suspicious File Extensions, Joe Flowers
Suspicious File Extensions, Matthew Jonkman

July 19, 2004

Re: Unknown IIS Issue, Matthew Jonkman
Re: Unknown IIS Issue, Matthew Watchinski
RE: do you know what is it ?, Erik Lalancette
RE: do you know what is it ?, Harper, Patrick
RE: do you know what is it ?, Harper, Patrick
Re: do you know what is it ?, Roach4
Re: do you know what is it ?, sekure
do you know what is it ?, Erik Lalancette
PHP-Nuke SQL injection rule, Federico Petronio
Re: Re: False positive C$ - signatures 2470, 2472, 2471 and 533, sekure

July 18, 2004

Re: Interesting false positive for HTTP_Connect, Matthew Jonkman
Re: Interesting false positive for HTTP_Connect, Jason
Re: Interesting false positive for HTTP_Connect, Matthew Jonkman
Re: Interesting false positive for HTTP_Connect, Matthew Jonkman
Re: Interesting false positive for HTTP_Connect, Jason
Re: Interesting false positive for HTTP_Connect, Jason
Re: Interesting false positive for HTTP_Connect, Matthew Jonkman
Re: Interesting false positive for HTTP_Connect, Matthew Jonkman
Unknown IIS Issue, Matthew Jonkman
Re: Interesting false positive for HTTP_Connect, Jason

July 17, 2004

Interesting false positive for HTTP_Connect, Matthew Jonkman
RE: HTTP Tunneling, Chris Kronberg

July 16, 2004

Re: False positive C$ - signatures 2470, 2472, 2471 and 533, Matthew Watchinski
Re: How to reapply a sig on packets in a same session, Matthew Watchinski
Russian Ebay scam rule, Matthew Jonkman
Re: HTTP Tunneling, Matthew Jonkman
RE: Netbios Domain Name Sig, Tim Otis
Comet Cursor Spyware, Matthew Jonkman
snort-rules CURRENT update @ Fri Jul 16 16:15:40 2004, bmc
RE: HTTP Tunneling, Barnes Brandon A1C AFWA/SCHS
RE: Netbios Domain Name Sig, Jason Linden
RE: HTTP Tunneling, Schmehl, Paul L
RE: HTTP Tunneling, Barnes Brandon A1C AFWA/SCHS
RE: HTTP Tunneling, Joshua Berry
Re: HTTP Tunneling, sekure
RE: HTTP Tunneling, Barnes Brandon A1C AFWA/SCHS
RE: HTTP Tunneling, Barnes Brandon A1C AFWA/SCHS
Re: HTTP Tunneling, Matthew Jonkman
RE: HTTP Tunneling, Barnes Brandon A1C AFWA/SCHS
Re: Does anyone know how to check the urgent pointer (not the URG flag)?, Matthew Watchinski
RE: HTTP Tunneling, Barnes Brandon A1C AFWA/SCHS
RE: HTTP Tunneling, Joshua Berry
HTTP Tunneling, Barnes Brandon A1C AFWA/SCHS
BLEEDING-EDGE IE spyware downloader get.php, Matthew Jonkman
Re: Netbios Domain Name Sig, Ron Jackson
Re: New rules, Matthew Jonkman
New rules, Joseph Gama
SMS dos rule, Johnathan Norman

July 15, 2004

Re: Netbios Domain Name Sig, nnposter
Does anyone know how to check the urgent pointer (not the URG flag)?, Joseph Gama
Re: question about sid:2570, Jason
Re: question about sid:2570, Brian
Netbios Domain Name Sig, Jason Linden
question about sid:2570, Miner, Jonathan W (CSC) (US SSA)
Atak Rule, Matthew Jonkman
Re: sig 528 false positive, Matthew Watchinski
Re: False positive on rule SID 2403 NETBIOS SMB Session Setup AndX request unicode username overflow attempt, Nigel Houghton
Re: Invalid TCP packet, header length<20 bytes, Chris Reining
Re: False positive C$ - signatures 2470, 2472, 2471 and 533, sekure
Invalid TCP packet, header length<20 bytes, Joseph Gama

July 14, 2004

Re: False positive C$ - signatures 2470, 2472, 2471 and 533, Brian
Denial of Service (DoS) in Microsoft SMS Client Signature, Terence Runge
Re: Rule 2101 FP's..., Nigel Houghton
Rules for MS-SQL, Joseph Gama
mysql.php3 [snort with MySQL], drigattieri
RE: Unknown IIS Worm Sigs, Hoover, James A (EIS, Corp)
sig 528 false positive, Dan Heideman
major problems with 2.1 snapshot rules?, Eric Bowser
False positive on rule SID 2403 NETBIOS SMB Session Setup AndX request unicode username overflow attempt, Joseph Gama
probable false positive (NOT attack information; this is a "possible bug" report), Gabriel Maybrun
SNORT false positives, Scott Elgram
Rule 2101 FP's..., Tobias Rice
False positive/negative, Rasmus Carstensen
False positive C$ - signatures 2470, 2472, 2471 and 533, erik
How to reapply a sig on packets in a same session, Chich Thierry
False positive, Antonio Henrique A. P. Oliveira
RE: Unknown IIS Worm Sigs, Hoover, James A (EIS, Corp)
MS04-021.mspx, Murat Korkmaz
Re: HTTP_PORTS Question, Brian
Re: HTTP_PORTS Question, Matthew Jonkman
Re: HTTP_PORTS Question, Matthew Jonkman
Re: HTTP_PORTS Question, sekure
RE: where i cant find, Erik Lalancette
Re: HTTP_PORTS Question, Matthew Jonkman
New MS_SQL Rules, Matthew Jonkman
HTTP_PORTS Question, Matthew Jonkman

July 13, 2004

Re: Shell code Rules 653 and 2314, Brian
Re: where i cant find, Matt Kettler
Re: where i cant find, Matthew Jonkman
RE: Disabling 2 rules, Eric Hines
RE: Disabling 2 rules, Eric Hines
where i cant find, Erik Lalancette
Re: Disabling 2 rules, Matthew Jonkman
Shell code Rules 653 and 2314, Scott Zawalski
Re: detect most binary file formats, Matthew Jonkman
Disabling 2 rules, Matthew Jonkman
BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong input with an OR, Matthew Jonkman
Re: detect most binary file formats, Jason Haar
Re: detect most binary file formats, Matthew Jonkman
detect most binary file formats, Joseph Gama
Great new MS SQL Rules, Matthew Jonkman
Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3, Matthew Jonkman
Improved code to create the relationships in MS-SQL, Joseph Gama

July 12, 2004

false positive for SID 2123, Joseph Gama

July 09, 2004

Re: Uricontent issue, Matthew Jonkman
RE: rule revision tracking, Joshua Berry
Bug found when using "output database: log, mssql" in snort.conf, Joseph Gama
Re: rule revision tracking, John Nagro
Re: rule revision tracking, John Nagro
Re: rule revision tracking, Matt Kettler
RE: Uricontent issue, Miner, Jonathan W (CSC) (US SSA)
Re: rule revision tracking, Matthew Watchinski
Re: Uricontent issue, Matthew Jonkman
Re: Rules to get the first 3 bytes from a UDP packet fail, Matthew Watchinski
New gator sig, Matthew Jonkman
rule revision tracking, John Nagro
Gain/Gator spyware sig, Esler, Joel - Contractor
Re: Uricontent issue, Matthew Jonkman
RE: Uricontent issue, Kreimendahl, Chad J
Re: BIttorrent Signature updates, Matthew Jonkman
Re: BIttorrent Signature updates, Matthew Jonkman
Re: BIttorrent Signature updates, Chich Thierry
Uricontent issue, Matthew Jonkman
Re: BIttorrent Signature updates, Matthew Jonkman
Re: BIttorrent Signature updates, Chich Thierry
Scob Updates, Matthew Jonkman
Re: Rules for ject and scob worms, Matthew Jonkman

July 08, 2004

Rules to get the first 3 bytes from a UDP packet fail, Joseph Gama
PHILIP LJUNGBERG heeft verlof., philip . ljungberg
Rules for ject and scob worms, Joseph Gama
New submissions, Matthew Jonkman
Re: BIttorrent Signature updates, Matthew Jonkman
Re: BIttorrent Signature updates, Matthew Watchinski
Re: BIttorrent Signature updates, Nigel Houghton
Re: BIttorrent Signature updates, Matthew Jonkman
RE: snort rules and -CURRENT for 2.1.3, Rowland, Krisa W ERDC-ITL-MS Contractor
Re: BIttorrent Signature updates, Nigel Houghton
Re: BIttorrent Signature updates, Matthew Jonkman
Re: BIttorrent Signature updates, Nigel Houghton
BIttorrent Signature updates, Matthew Jonkman
Re: Yahoo mail updates, Matthew Jonkman
Re: Is modifier depth:32 required in the sid rule no. 1102, Matthew Watchinski

July 07, 2004

Re: Sid:2113 FP, Matthew Watchinski
Re: Yahoo mail updates, Matthew Watchinski
Maleware Keenvalue, Matthew Jonkman
Re: [Fwd: Proposed change to the Virus Rule], Matthew Jonkman
Re: [Fwd: Proposed change to the Virus Rule], Brian
Re: How to filter by only the first 3 bytes of data?, Brian
Re: False positive NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt, Brian
Re: Bug in 1934.6? (POP2 FOLD overflow attempt), Brian
Improved code for creating the data structure in MS-SQL 2000, Joseph Gama
False positive NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt, Joseph Gama
How to filter by only the first 3 bytes of data?, Joseph Gama
Re: New bleeding sigs, Matthew Jonkman
RE: [Fwd: Proposed change to the Virus Rule], nnposter

July 06, 2004

[Fwd: Proposed change to the Virus Rule], Matthew Jonkman
Re: New bleeding sigs, Matthew Jonkman
Bug in 1934.6? (POP2 FOLD overflow attempt), nnposter
Re: New bleeding sigs, Kevin Kolk
New bleeding sigs, Matthew Jonkman
Avoidance of 663.13 (SMTP rcpt to command attempt), nnposter
Avoidance of 2270.4 (SMTP RCPT TO sendmail prescan too long addresses overflow), nnposter
Re: Avoidance of 1260.10 (WEB-MISC long basic authorization string), nnposter
Re: POP2 commands case-sensitive?, Brian
Re: False positives on 1807.9 (WEB-MISC Chunked-Encoding transfer attempt), Brian
Re: Poor detection rate by 1:716:6 (TELNET access), Brian
Re: False negatives on 1:491:6 (INFO FTP Bad login), Brian
Re: False positives on 1806.7 (WEB-IIS .htr chunked Transfer-Encoding), Brian
Re: Avoidance of 2278.6 (WEB-MISC negative Content-Length attempt), Brian
Re: False positives on 1618.14 (WEB-IIS .asp chunked Transfer-Encoding), Brian
Re: Avoidance of 2230.5 (WEB-MISC NetGear router default password login attempt admin/password), Brian
Re: Bug in 654.13 (SMTP RCPT TO overflow), Brian
Re: Avoidance of 1:1970:1 (WEB-IIS MDAC Content-Type overflow attempt), Brian
Re: Avoidance of 2183.5 (SMTP Content-Transfer-Encoding overflow attempt), Brian
Re: Avoidance of 664.13 (SMTP RCPT TO decode attempt), Brian
Re: Avoidance of 2437.5 (WEB-CLIENT RealPlayer arbitrary javascript command attempt), Brian
Re: Avoidance of 1861.7 (WEB-MISC Linksys router default username and password login attempt), Brian
Re: Avoidance of 1992.5 (FTP LIST directory traversal attempt), Brian
Re: Avoidance of 1817.4 (WEB-IIS MS Site Server default login attempt), Brian
Re: Avoidance of 1260.10 (WEB-MISC long basic authorization string), Brian
Re: Avoidance of 1860.4 (WEB-MISC Linksys router default password login attempt), Brian
Re: Avoidance of 1672.10 (FTP CWD ~ attempt), Brian
Re: Signature contributions, Brian
Further tweaks for the Evaman rule, Matthew Jonkman
Evaman Worm Sig, Matthew Jonkman
Evaman Worm Outbound BLEEDINGSNORT, James Ashton

July 03, 2004

Proposed change to the Virus Rule, Matthew Jonkman
Re: Avoidance of 2230.5 (WEB-MISC NetGear router default password login attempt admin/password), Matthew Jonkman
Avoidance of 664.13 (SMTP RCPT TO decode attempt), nnposter
Bug in 654.13 (SMTP RCPT TO overflow), nnposter
Avoidance of 2278.6 (WEB-MISC negative Content-Length attempt), nnposter
Avoidance of 2230.5 (WEB-MISC NetGear router default password login attempt admin/password), nnposter
Avoidance of 1861.7 (WEB-MISC Linksys router default username and password login attempt), nnposter
False positives on 1807.9 (WEB-MISC Chunked-Encoding transfer attempt), nnposter
False positives on 1806.7 (WEB-IIS .htr chunked Transfer-Encoding), nnposter
False positives on 1618.14 (WEB-IIS .asp chunked Transfer-Encoding), nnposter
Avoidance of 1260.10 (WEB-MISC long basic authorization string), nnposter
Re: Avoidance of 2183.5 (SMTP Content-Transfer-Encoding overflow attempt), nnposter
Re: Avoidance of 2183.5 (SMTP Content-Transfer-Encoding overflow attempt), Brian
Avoidance of 2183.5 (SMTP Content-Transfer-Encoding overflow attempt), nnposter
Avoidance of 2437.5 (WEB-CLIENT RealPlayer arbitrary javascript command attempt), nnposter
Avoidance of 1992.5 (FTP LIST directory traversal attempt), nnposter
Avoidance of 1860.4 (WEB-MISC Linksys router default password login attempt), nnposter
Avoidance of 1817.4 (WEB-IIS MS Site Server default login attempt), nnposter
Avoidance of 1672.10 (FTP CWD ~ attempt), nnposter

July 02, 2004

Squid NTML Auth overflow sig, Matthew Jonkman

July 01, 2004

Re: Yahoo mail updates, Matthew Jonkman
RE: Yahoo mail updates, Adrian Marsden
Yahoo mail updates, Matthew Jonkman
False positive for 2461, Matthew Jonkman
False positive for 2460, Matthew Jonkman
Sid:2113 FP, sekure

News | FAQ | advertise