Showing results for 
Search instead for 
Did you mean: 
Level 7

Unable to import Snort Signature cleanly

Hi Mcafee,

I am having trouble with importing Snort signatures into Mcafee NSM Version I really need advice here. here's an example of a snort signature:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; content:"/_layouts/help.aspx"; nocase; http_uri; content:"cid0="; nocase; http_uri; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,; reference:url,; reference:url,; reference:url,; reference:cve,2010-0817; reference:url,; classtype:web-application-attack; sid:2011073; rev:5Smiley Wink

The highlighted red portion are the ones i'm having problem with. I can change the traffic setting to any any but the Classtype, it doesn't seem to recognize even when i change to a Mcafee type like "Trojan-Activity.

Thank you for reading this and i hope to hear from anyone.



0 Kudos
1 Reply
Level 20

Re: Unable to import Snort Signature cleanly

Moving to Network security platform so like users can comment

0 Kudos