Snort mailing list archives
RE: [Snort-sigs] sigs with asn1 fails
From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 28 Jul 2004 10:13:28 -0500
Sorry, type in the email, that should have read that I tested the CURRENT and 2_2 zipped files. -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Joshua Berry Sent: Wednesday, July 28, 2004 8:45 AM To: snort Subject: RE: [Snort-sigs] sigs with asn1 fails I update twice a day with oinkmaster pointed to www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz and have not seen the asn1 keyword in any of the rules I downloaded. However, I tested downloading www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz and it has the keyword and so does www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz Maybe these people are using the CURRENT rules, or I just happen to be downloading when they fix the problem every single time. -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Rocio Alfonso Pita Sent: Wednesday, July 28, 2004 4:03 AM To: 'snort' Subject: [Snort-sigs] sigs with asn1 fails Hello, I update my snort rules with oinkmaster. Yesterday, snort did not start after this update, giving the following errors: snort: FATAL ERROR: Warning: /var/oinkmaster/rules/exploit.rules(79) => Unknown keyword ' asn1' in rule! snort: FATAL ERROR: Warning: /var/oinkmaster/rules/netbios.rules(115) => Unknown keyword ' asn1' in rule! Rules that I had to deactivate for snort to start (output oinkmaster): Note: Oinkmaster is running in careful mode - not updating anything. [***] Results from Oinkmaster started Wed Jul 28 10:48:34 2004 [***] [+++] Enabled rules: [+++] -> Enabled in exploit.rules (2): alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"|6A|"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-bu f.txt; classtype:attempted-admin; sid:2578; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"|6A|"; offset:4; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-bu f.txt; classtype:attempted-admin; sid:2579; rev:1;) -> Enabled in netbios.rules (2): alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"| FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; asn1:double_overflow, oversize_length 2048, bitstring_overflow,relative_offset 54; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-admin; sid:2383; rev:12;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|FF| SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; asn1:double_overflow, oversize_length 2048, bitstring_overflow,relative_offset 54; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-admin; sid:2382; rev:12;) [*] Non-rule line modifications: [*] None. [*] Added files: [*] None. what is the problem in these sigs? Thanks and regards, rozio PD: Aditional information: Snort version: 2.1.2 Oinkmaster version: 1.0 Rules: http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] sigs with asn1 fails Joshua Berry (Jul 28)
- <Possible follow-ups>
- RE: [Snort-sigs] sigs with asn1 fails Joshua Berry (Jul 28)