Snort mailing list archives
Re: Bad range in Snort rules
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Mon, 13 Jan 2014 12:54:50 -0500
Hey Lukas, Further research indicated that those rules were not necessary to cover the vuln. thanks Alex McDonnell VRT On Mon, Jan 13, 2014 at 9:32 AM, Lukas Matt <lukas.matt () sophos com> wrote:
Hi Alex, why do you removed them? I mean it is only a little change necessary to make them work correctly. Regards, Lukas On 01/13/2014 03:24 PM, Alex McDonnell wrote: Hi Lukas. The rules in question were deleted the 13th of december and went out in SEU: 1018 Date: 2013-12-17 thanks Alex McDonnell VRT On Mon, Jan 13, 2014 at 8:52 AM, Lukas Matt <lukas.matt () sophos com> wrote:Hi all, was there some progress regarding the bad range while Christmas? Cheers, Lukas On 12/16/2013 06:00 PM, Joel Esler (jesler) wrote: Lukas, yes, this will be fixed in an upcoming release. -- *Joel Esler* Intelligence Lead OpenSource Manager Vulnerability Research Team Jabber: jesler () cisco com On Dec 16, 2013, at 5:12 AM, Lukas Matt <lukas.matt () sophos com> wrote: Hey guys, I ran into following error message "Bad range: 4294967296" That affect rule 28519 and 28514. The problem here is following part: byte_test:4,>,4294967296,18,relative,little; Under 32bit the maximum Int is 2^32-1 but in the rule you forgot to subtract 1. I checked also the documentation and the maximum for your byte_test is 4294967295. Could you double check that? Cheers, Lukas -- Lukas Matt Deep Packet Inspection Researcher, RnD tel: +49-721-25516-322, cell: +49-174-3440-555 Sophos Technology GmbH Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany SOPHOS Security made simple --- Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658 Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany Executive Board: Nicholas Bray, Pino von Kienlin, Richard Walford, Joachim Frost, Günter Junk ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Lukas Matt Deep Packet Inspection Researcher, RnD tel: +49-721-25516-322, cell: +49-174-3440-555 Sophos Technology GmbH Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany SOPHOS Security made simple --- Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658 Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!-- Lukas Matt Deep Packet Inspection Researcher, RnD tel: +49-721-25516-322, cell: +49-174-3440-555 Sophos Technology GmbH Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany SOPHOS Security made simple --- Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658 Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Bad range in Snort rules Lukas Matt (Jan 13)
- Re: Bad range in Snort rules Alex McDonnell (Jan 13)
- Re: Bad range in Snort rules Lukas Matt (Jan 13)
- Re: Bad range in Snort rules Alex McDonnell (Jan 13)
- Re: Bad range in Snort rules Lukas Matt (Jan 13)
- Re: Bad range in Snort rules Alex McDonnell (Jan 13)