ODIN: The SWISS IDS Project

Snort Signatures

Introduce a PROXY_HOST variable because of many false pos's because of proxy connections

VAR PROXY_HOST x.y.z.a 

alert tcp $EXTERNAL_NET any -> !$PROXY_HOST 8080 (msg:"SCAN Proxy 
\(8080\) attempt"; flags:S; classtype:attempted-recon; sid:620; 
rev:3;)

Introduce a GW variable because of many ICMP redirects

VAR GW = x.y.z.v

alert icmp !$GW any -> $HOME_NET any (msg:"ICMP redirect 
host";itype:5;icode:1; reference:arachnids,135; 
reference:cve,CVE-1999-0265; classtype:bad-unknown; sid:472; rev:1;)

BACK