signatures

Dop · February 4, 2011, 5:02pm

(Last one for today, I promise)

Given these two signatures:

signature s2b-1939-4 {
  ip-proto == udp
  dst-port == 67
  # Not supported: byte_test: 1,>,6,2
  event "MISC bootp hardware address length overflow"
  payload /\x01/
}

signature s2b-1940-3 {
  ip-proto == udp
  dst-port == 67
  # Not supported: byte_test: 1,>,7,1
  event "MISC bootp invalid hardware type"
  payload /\x01/
}

We see both of them (which I'm about to ignore), but I don't understand
why one is triggered over the other.

Thanks,
Dop

Seth_Hall3 · February 4, 2011, 5:59pm

It's definitely best to get rid of both of those signatures. They aren't even matching what they claim to be matching because of those "Not supported" lines. It's just an internal implementation detail as to which one gets triggered because the signature engine is going to look to see which one matched and it will trigger the first one that it finds and then stop.

Pretty much anything that says "s2b" (snort2bro) will be gone from the next release and can even currently can be ignored. The snort2bro code has already been completely removed from the work repository

.Seth

Topic		Replies	Views
Snort 2 Bro Utility Zeek	2	93	May 6, 2022
signarture dst-port issue Zeek	2	75	May 6, 2022
False positive Zeek	4	77	May 6, 2022
Trouble compiling Bro release 0.8a48 on OpenBSD3.3 Zeek	1	68	May 6, 2022
create team for update snort2bro script signature ? Zeek	5	105	May 6, 2022

signatures

Related topics