Snort mailing list archives
Re: Unknown rule option sip_header
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 01 Oct 2014 11:04:43 -0600
On 2014-10-01 10:56, Shirkdog wrote:
If not you will need to disable that rule. You can used pullpork to keep that signature disabled on rule updates. On Oct 1, 2014 12:07 PM, "James Lay" <jlay () slave-tothe-box net [8]> wrote:On 2014-10-01 09:40, Y M wrote:To: snort-users () lists sourceforge net [1] Date: Wed, 1 Oct 2014 08:09:10 -0600 From: jlay () slave-tothe-box net [2] Subject: [Snort-users] Unknown rule option sip_header Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR: /etc/snort/rules/snort.rules(31729) Unknown rule option:sip_header.alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS(msg:"OS-OTHERBash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy balanced-ips drop,policysecurity-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:1;) Anyone else seeing this?Running fine on my side. Is the SIP preprocessor enabled? YMJamesIt is not....SIP will never traverse this specific link, so in an effort to optimize and remove unneeded functionality I disabled it. Are we saying that I MUST have this preprocessor running? Thanks YM. James
Indeed that has been done. But that's for THIS time...what about the next time a rule pops up with sip_headers;? Snort will FATAL ERROR and sensors will go down (reason #1243 why I have my pulled pork processes run while I'm at work to see it happen). Which is why in the long rung...I'd rather have snort continue to run even with an errored rule, then not at all. I'll see the FATAL ERROR in my log, and get an email, but at least the rest of IDS functionality. My other option is to just sed 's/sip_headers;//' the snort.rules file right before it gets copied over...which I may end up doing. James ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Unknown rule option sip_header, (continued)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Joel Esler (jesler) (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Shirkdog (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)