Snort mailing list archives
RE: [Snort-sigs] Bug found when using "output database: log, mssql" in snort.conf
From: "Joshua Berry" <jberry () PENSON COM>
Date: Fri, 9 Jul 2004 16:18:30 -0500
I am not sure but the question marks might be throwing off a parser for the DB plugin or might not be accepted as input (the column might be int only). Just make up a high number > 1000000 I think is the range you are supposed to use. -----Original Message----- From: Joseph Gama [mailto:josephgama () yahoo com] Sent: Friday, July 09, 2004 4:17 PM To: Joshua Berry Subject: RE: [Snort-sigs] Bug found when using "output database: log, mssql" in snort.conf Yes, should I make them up? --- Joshua Berry <jberry () PENSON COM> wrote:
Are you really using question marks for the sid number? -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Joseph Gama Sent: Friday, July 09, 2004 3:01 PM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] Bug found when using "output database: log, mssql" in snort.conf Hello everybody, I am sorry for my persistence on trying to find what was wrong with a rule. I want to thank Matthew Jonkman and Matthew Watchinski for their help trying to figure it out. It happens that hte rule works fine when no database output is defined in snort.conf but when using "output database: log, mssql" it won't fire at all. I had MSSQL Profiler to detect what was happening and when sending the offending packet nothing was sent to MSSQL. This rule works only when there is no database log: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL heap overflow attempt (0A3A31)"; content:"|0A 3A 31|"; depth:3; reference: url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:????; rev:0;) This rule works always: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL (08)"; content:"|08|"; depth:1; reference: url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:????; rev:0;) Thank you. Peace, Joseph Gama __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
__________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] Bug found when using "output database: log, mssql" in snort.conf Joshua Berry (Jul 09)