Snort mailing list archives
Re: Unknown rule option sip_header
From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 1 Oct 2014 17:25:49 +0000
I've been meaning to write a check then when PP runs, it tests the rules and if it fails, it doesn't push. I just haven't gotten that far and we've only had this happen 3 or 4 times in the past few years. it's not a big thing, but when it fails, it isn't graceful. On Wed, Oct 1, 2014 at 5:21 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
On Oct 1, 2014, at 12:35 PM, James Lay <jlay () slave-tothe-box net> wrote: On 2014-10-01 10:26, Jeremy Hoel wrote: We had this bite us.. we came in the morning and found the sensors all off. We just disabled the rule, since like you, sip doesnt transverse our links. On Oct 1, 2014 10:07 AM, "James Lay" <jlay () slave-tothe-box net [8]> wrote: On 2014-10-01 09:40, Y M wrote: To: snort-users () lists sourceforge net [1] Date: Wed, 1 Oct 2014 08:09:10 -0600 From: jlay () slave-tothe-box net [2] Subject: [Snort-users] Unknown rule option sip_header Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR: /etc/snort/rules/snort.rules(31729) Unknown rule option: sip_header. alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:1;) Anyone else seeing this? Running fine on my side. Is the SIP preprocessor enabled? YM James It is not....SIP will never traverse this specific link, so in an effort to optimize and remove unneeded functionality I disabled it. Are we saying that I MUST have this preprocessor running? Thanks YM. James Thanks Jeremy...that's what I had to do in the short term...next step is to add those two rules to these specific disablesids. Long term though, every time a new one of these comes out, this is going to break stuff. Joel, can we get a feature request or something...a command line flag that will allow running with errors. So if a specific rule is borked, snort will just skip that rule and continue on? Thank you. This is a catch 22.. If you load silently, then people think that a rule that was supposed to be turned on, but failed to load for whatever reason (for instance the opposite of what you experienced today), then we get hollered at for NOT failing. Then when we fail, we get hollered at for failing. But your idea of a command line argument or something is interesting. I’ll ask. -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Joel Esler (jesler) (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Shirkdog (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)