Re: Unknown rule option sip_header

[Jeremy Hoel <jthoel () gmail com>]

I've been meaning to write a check then when PP runs, it tests the rules
and if it fails, it doesn't push.  I just haven't gotten that far and we've
only had this happen 3 or 4 times in the past few years.  it's not a big
thing, but when it fails, it isn't graceful.

On Wed, Oct 1, 2014 at 5:21 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:

>  On Oct 1, 2014, at 12:35 PM, James Lay <jlay () slave-tothe-box net> wrote:
>
> On 2014-10-01 10:26, Jeremy Hoel wrote:
>
> We had this bite us.. we came in the morning and found the sensors
> all
> off. We just disabled the rule, since like you, sip doesnt transverse
> our links.
> On Oct 1, 2014 10:07 AM, "James Lay" <jlay () slave-tothe-box net [8]>
> wrote:
>
> On 2014-10-01 09:40, Y M wrote:
>
> To: snort-users () lists sourceforge net [1]
> Date: Wed, 1 Oct 2014 08:09:10 -0600
> From: jlay () slave-tothe-box net [2]
> Subject: [Snort-users] Unknown rule option sip_header
>
> Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR:
> /etc/snort/rules/snort.rules(31729) Unknown rule option:
>
> sip_header.
>
>
> alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS
>
> (msg:"OS-OTHER
>
> Bash environment variable injection attempt"; flow:stateless;
> sip_header; content:"() {"; metadata:policy balanced-ips drop,
>
> policy
>
> security-ips drop, ruleset community, service sip;
> reference:cve,2014-6271; reference:cve,2014-7169;
> classtype:attempted-admin; sid:32041; rev:1;)
>
> Anyone else seeing this?
>
>
> Running fine on my side. Is the SIP preprocessor enabled?
>
> YM
>
>
> James
>
>
> It is not....SIP will never traverse this specific link, so in an
> effort to optimize and remove unneeded functionality I disabled
> it.  Are
> we saying that I MUST have this preprocessor running?  Thanks YM.
>
> James
>
>
> Thanks Jeremy...that's what I had to do in the short term...next step
> is to add those two rules to these specific disablesids.  Long term
> though, every time a new one of these comes out, this is going to break
> stuff.  Joel, can we get a feature request or something...a command line
> flag that will allow running with errors.  So if a specific rule is
> borked, snort will just skip that rule and continue on?  Thank you.
>
>
>
>
>  This is a catch 22..  If you load silently, then people think that a
> rule that was supposed to be turned on, but failed to load for whatever
> reason (for instance the opposite of what you experienced today), then we
> get hollered at for NOT failing.  Then when we fail, we get hollered at for
> failing.
>
>  But your idea of a command line argument or something is interesting.
> I’ll ask.
>
>
>  --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!