Snort mailing list archives
Re: Snort 2.0 rc1 Observations
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Fri, 28 Mar 2003 09:57:50 -0600
Do the rules for 2.0 rc1 correspond to snortrules-current.tar.gz (Works for HEAD branch of CVS) on the snort site for future updating? I can understand how the wrong rules would explain the first two situations. Have the rules for writing passes to rules changed in this version? Have the command line options changed for making the passes to be processed before the alerts?
Ken At 10:02 AM 3/28/03 -0500, Erek Adams wrote:
On Fri, 28 Mar 2003, Kenneth G. Arnold wrote: > I tried out Snort 2.0 rc1 yesterday on Solaris 9 and I noticed three > things. [...snip...] All three of your issues stem from one problem: You didn't update your rules from 1.9.x to 2.0rc1. Here are the three SID's that you mention from the rc1 tarball. alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; uricontent:"/level/"; uricontent:"/exec/"; flow:to_server,established; classtype:web-application-attack; reference:bugtraq,2936; sid:1250; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:cve,CAN-2000-0760; reference:bugtraq,1532; classtype:attempted-recon; sid:1108; rev:8;) No 'to_sever', no regex. :) Update your rules files to the most current version. The rules files as distributed with Snort are designed to be 'overwritten' by new versions. Yes, I know people customize thier rules... But that's where you have to do a sitdown analysis and merge in your changes to the new rules. Using something like oinkmaster really helps with it. To solve your problem: Update your snort and your rules. Then you should be good to go. Of course make a backup first--Just in case. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.0 rc1 available Martin Roesch (Mar 26)
- Re: Snort 2.0 rc1 available Rob Hughes (Mar 26)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Andrew R. Baker (Mar 27)
- Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
- Re: Snort 2.0 rc1 available Master Brian (Mar 27)
- Re: Snort 2.0 rc1 available Bennett Todd (Mar 27)
- Snort 2.0 rc1 performances jeremy chartier (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Re: Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
- Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
- Re: Snort 2.0 rc1 Observations Chris Green (Mar 31)
- Snort 2.0 rc1 pass solved / now mysql problem Kenneth G. Arnold (Mar 31)
- Re: Snort 2.0 rc1 available Rob Hughes (Mar 26)
- Re: snort decoder Chris Green (Mar 28)
- <Possible follow-ups>
- RE: Snort 2.0 rc1 available Slighter, Tim (Mar 27)
- Re: Snort 2.0 rc1 available Chris Green (Mar 31)