Snort mailing list archives
Re: Unknown rule option sip_header
From: Y M <snort () outlook com>
Date: Wed, 1 Oct 2014 16:37:43 +0000
To: snort () outlook com Subject: RE: [Snort-users] Unknown rule option sip_header Date: Wed, 1 Oct 2014 10:04:23 -0600 From: jlay () slave-tothe-box net CC: snort-users () lists sourceforge net On 2014-10-01 09:40, Y M wrote:To: snort-users () lists sourceforge net Date: Wed, 1 Oct 2014 08:09:10 -0600 From: jlay () slave-tothe-box net Subject: [Snort-users] Unknown rule option sip_header Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR: /etc/snort/rules/snort.rules(31729) Unknown rule option:'sip_header'.alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS(msg:"OS-OTHERBash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy balanced-ips drop,policysecurity-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:1;) Anyone else seeing this?Running fine on my side. Is the SIP preprocessor enabled? YMJamesIt is not....SIP will never traverse this specific link, so in an effort to optimize and remove unneeded functionality I disabled it. Are we saying that I MUST have this preprocessor running? Thanks YM.
The SIP preprocessor will have to be enabled to get SIP content modifiers to work. Preprocessor dissects SIP packets and puts the packet fields into the the respective SIP buffers (i.e. sip_header), or at least thats my understanding. If the preprocessor is not enabled, then there will be no buffers to work with. YM
James
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Joel Esler (jesler) (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Shirkdog (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)