Snort mailing list archives
Re: Pulledpork doesn't creates sid-msg.map properly
From: Shirkdog <shirkdog () gmail com>
Date: Mon, 13 Oct 2014 08:33:28 -0400
It is the age old issue of colons in the signature fields. However, this is a specific suricata issue as the engine parses the keys as they look in ascii and not the way snort signatures are written. Put a bug in for this and we will take a look (or maybe someone has already bugged it.) On Oct 13, 2014 7:26 AM, "C. L. Martinez" <carlopmart () gmail com> wrote:
On Mon, Oct 13, 2014 at 11:03 AM, Rob MacGregor <rob.macgregor () gmail com> wrote:On 13 October 2014 10:27, C. L. Martinez <carlopmart () gmail com> wrote:On Mon, Oct 13, 2014 at 8:27 AM, C. L. Martinez <carlopmart () gmail com> wrote:Hi all, After some days working with pulledpork for suricata 2.0.4 all works ok until today. I have added the following rules in pulledpork's config file as a local_rules: https://sslbl.abuse.ch/blacklist/sslblacklist.rules After that, sid-msg doesn't creates properly. For emergingthreats rules works ok, but not for these last ones rules: cat sid-msg.rules 2523264 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523266 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523268 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523270 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 636 || url,doc.emergingthreats.net/bin/view/Main/TorRules 3 || FILEEXT BMP file claimed 6 || FILESTORE jpg 648 || GPL SHELLCODE x86 NOOP || arachnids,181 653 || GPL SHELLCODE x86 0x90 unicode NOOP 8 || FILESTORE pdf 9 || FILEMAGIC pdf 902200008 || 902200009 || 902200035 || 902200060 || 902200062 || 902200064 || 902200081 || 902200082 || 902200125 || 902200133 || 902200134 || 902200141 || 902200148 || 902200151 || 902200178 || 902200195 || 902200209 || 902200213 || 902200241 || 902200248 || 902200381 || 902200382 || 902200383 || How can I fix this??I've seen this where the message contains certain characters thatconfusedthe parser. I'm pretty sure it was the use of colons (":") in the message that did it in my case. --Thanks Rob. I have tried it (colon is removed from the msg field now), but same result: cat Custom-sslblacklists.rules alert tls any any -> any any (msg :"SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C&C)"; tls.fingerprint:"03:1b:9a:b1:15:b9:23:06:f8:ab:ee:8f:bb :42:20:d2:86:cf:44:97"; sid:902200755; rev:1;) alert tls any any -> any any (msg :"SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C&C)"; tls.fingerprint:"04:3a:68:f0:48:e8:ce:74:70:ae:58:86:0c :58:d2:58:79:66:8c:91"; sid:902200062; rev:1;) alert tls any any -> any any (msg :"SSL Fingerprint Blacklist Malicious SSL certificate detected (Spambot C&C)"; tls.fingerprint:"05:9e:0e:19:e3:67:bd:56:67:24:ae:49 :6d:fa:73:47:84:6b:b8:e6"; sid:902201397; rev:1;) ............................................. in sid-msg.map: 2523258 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 630 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523260 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 631 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523262 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 632 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523264 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523266 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523268 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523270 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 636 || url,doc.emergingthreats.net/bin/view/Main/TorRules 3 || FILEEXT BMP file claimed 6 || FILESTORE jpg 648 || GPL SHELLCODE x86 NOOP || arachnids,181 653 || GPL SHELLCODE x86 0x90 unicode NOOP 8 || FILESTORE pdf 9 || FILEMAGIC pdf 902200008 || 902200009 || 902200035 || 902200060 || 902200062 || 902200064 || 902200081 || 902200082 || 902200125 || Uhmm ... but if the problem is with the colon in the fingerprint filed, then I have a problem:)) ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://p.sf.net/sfu/Zoho _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://p.sf.net/sfu/Zoho
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Rob MacGregor (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Shirkdog (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Shirkdog (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Rob MacGregor (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly waldo kitty (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)