Snort mailing list archives
Re: Snort 2.0 rc1 Observations
From: Erek Adams <erek () snort org>
Date: Fri, 28 Mar 2003 10:02:39 -0500 (EST)
On Fri, 28 Mar 2003, Kenneth G. Arnold wrote:
I tried out Snort 2.0 rc1 yesterday on Solaris 9 and I noticed three things.
[...snip...] All three of your issues stem from one problem: You didn't update your rules from 1.9.x to 2.0rc1. Here are the three SID's that you mention from the rc1 tarball. alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; uricontent:"/level/"; uricontent:"/exec/"; flow:to_server,established; classtype:web-application-attack; reference:bugtraq,2936; sid:1250; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:cve,CAN-2000-0760; reference:bugtraq,1532; classtype:attempted-recon; sid:1108; rev:8;) No 'to_sever', no regex. :) Update your rules files to the most current version. The rules files as distributed with Snort are designed to be 'overwritten' by new versions. Yes, I know people customize thier rules... But that's where you have to do a sitdown analysis and merge in your changes to the new rules. Using something like oinkmaster really helps with it. To solve your problem: Update your snort and your rules. Then you should be good to go. Of course make a backup first--Just in case. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.0 rc1 available Martin Roesch (Mar 26)
- Re: Snort 2.0 rc1 available Rob Hughes (Mar 26)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Andrew R. Baker (Mar 27)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Master Brian (Mar 27)
- Re: Snort 2.0 rc1 available Bennett Todd (Mar 27)
- Snort 2.0 rc1 performances jeremy chartier (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Re: Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Chris Green (Mar 31)
- Snort 2.0 rc1 pass solved / now mysql problem Kenneth G. Arnold (Mar 31)
- Re: Snort 2.0 rc1 available Rob Hughes (Mar 26)
- Re: snort decoder Chris Green (Mar 28)
- <Possible follow-ups>
- RE: Snort 2.0 rc1 available Slighter, Tim (Mar 27)
- Re: Snort 2.0 rc1 available Chris Green (Mar 31)