Re: Unknown rule option sip_header

[Y M <snort () outlook com>]

> To: shirkdog () gmail com
> Subject: Re: [Snort-users] Unknown rule option sip_header
> Date: Wed, 1 Oct 2014 11:04:43 -0600
> From: jlay () slave-tothe-box net
> CC: snort-users () lists sourceforge net; snort () outlook com
>
> On 2014-10-01 10:56, Shirkdog wrote:
> > If not you will need to disable that rule. You can used pullpork to
> > keep that signature disabled on rule updates.
> >
> > On Oct 1, 2014 12:07 PM, "James Lay" <jlay () slave-tothe-box net [8]>
> > wrote:
> >
> > > On 2014-10-01 09:40, Y M wrote:
> > > > > To: snort-users () lists sourceforge net [1]
> > > > > Date: Wed, 1 Oct 2014 08:09:10 -0600
> > > > > From: jlay () slave-tothe-box net [2]
> > > > > Subject: [Snort-users] Unknown rule option sip_header
> > > > >
> > > > > Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR:
> > > > > /etc/snort/rules/snort.rules(31729) Unknown rule option:
> > > > sip_header.
> > > > > alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS
> > > > (msg:"OS-OTHER
> > > > > Bash environment variable injection attempt"; flow:stateless;
> > > > > sip_header; content:"() {"; metadata:policy balanced-ips drop,
> > > > policy
> > > > > security-ips drop, ruleset community, service sip;
> > > > > reference:cve,2014-6271; reference:cve,2014-7169;
> > > > > classtype:attempted-admin; sid:32041; rev:1;)
> > > > >
> > > > > Anyone else seeing this?
> > > >
> > > > Running fine on my side. Is the SIP preprocessor enabled?
> > > >
> > > > YM
> > > >
> > > > > James
> > >
> > > It is not....SIP will never traverse this specific link, so in an
> > > effort to optimize and remove unneeded functionality I disabled
> > > it.  Are
> > > we saying that I MUST have this preprocessor running?  Thanks YM.
> > >
> > > James
>
> Indeed that has been done.  But that's for THIS time...what about the 
> next time a rule pops up with sip_headers;?  Snort will FATAL ERROR and 
> sensors will go down (reason #1243 why I have my pulled pork processes 
> run while I'm at work to see it happen).  Which is why in the long 
> rung...I'd rather have snort continue to run even with an errored rule, 
> then not at all.  I'll see the FATAL ERROR in my log, and get an email, 
> but at least the rest of IDS functionality.  My other option is to just 
> sed 's/sip_headers;//' the snort.rules file right before it gets copied 
> over...which I may end up doing.
You cannot disable by category either. This one is in os-other which may contain sigs you need to keep, and the same 
applies if the category was changed to protocol-voip.
A suggestion, since PulledPork accepts raw PCRE in its *.conf files, you may get away with adding PCRE to the 
disablesid.conf and have PulledPork do it. Though, you need to watch out for flowbits re-enabling SIP rules back; if 
there is any.
YM
> James

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!