RE: [Snort-sigs] Bug found when using "output database: log, mssql" in snort.conf

["Joshua Berry" <jberry () PENSON COM>]

I am not sure but the question marks might be throwing off a parser for
the DB plugin or might not be accepted as input (the column might be int
only).

Just make up a high number > 1000000 I think is the range you are
supposed to use.

-----Original Message-----
From: Joseph Gama [mailto:josephgama () yahoo com] 
Sent: Friday, July 09, 2004 4:17 PM
To: Joshua Berry
Subject: RE: [Snort-sigs] Bug found when using "output database: log,
mssql" in snort.conf

Yes, should I make them up?

--- Joshua Berry <jberry () PENSON COM> wrote:
> Are you really using question marks for the sid
> number?
>
> -----Original Message-----
> From: snort-sigs-admin () lists sourceforge net
> [mailto:snort-sigs-admin () lists sourceforge net] On
> Behalf Of Joseph Gama
> Sent: Friday, July 09, 2004 3:01 PM
> To: snort-sigs () lists sourceforge net
> Subject: [Snort-sigs] Bug found when using "output
> database: log, mssql"
> in snort.conf
>
> Hello everybody,
>
> I am sorry for my persistence on trying to find what
> was wrong with a rule. I want to thank Matthew
> Jonkman
> and Matthew Watchinski for their help trying to
> figure
> it out. It happens that hte rule works fine when no
> database output is defined in snort.conf but when
> using "output database: log, mssql" it won't fire at
> all. I had MSSQL Profiler to detect what was
> happening
> and when sending the offending packet nothing was
> sent
> to MSSQL.
>
> This rule works only when there is no database log:
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434
> (msg:"MS-SQL heap overflow attempt (0A3A31)";
> content:"|0A 3A 31|"; depth:3; reference:
> url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
> classtype:attempted-dos; sid:????; rev:0;) 
>
> This rule works always:
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434
> (msg:"MS-SQL  (08)"; content:"|08|"; depth:1;
> reference:
> url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
> classtype:attempted-dos; sid:????; rev:0;) 
>
> Thank you.
>
> Peace,
>
> Joseph Gama
>
>
>               
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
-------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings &
> Training.
> Attend Black Hat Briefings & Training, Las Vegas
> July 24-29 - 
> digital self defense, top technical experts, no
> vendor pitches, 
> unmatched networking opportunities. Visit
> www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users