Snort mailing list archives
Re: [Snort-users] PCRE problem with some security policy rules
From: "Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Fri, 2 Aug 2019 18:43:24 +0000
The problem is apparently somewhere else. java= is not in the rule you identified. And ?java=[0-9]{2,6}$ doesn¹t appear in any recent text rule. Also sid:23805 is in browser-webkit.rules in the 29130 snapshot, not exploit-kit.rules. Which rule set are you using? Just a guess, but maybe the rules you have installed are somehow borked. Did you try downloading and reinstalling? On 8/1/19, 9:31 PM, "Snort-sigs on behalf of Joel Esler (jesler) via Snort-sigs" <snort-sigs-bounces () lists snort org on behalf of snort-sigs () lists snort org> wrote:
Adding in snort-sigs, where signatures questions should live. We¹ll have a look here. Thanks Sent from my • iPhoneOn Aug 1, 2019, at 14:01, clemence.roulin--- via Snort-users <snort-users () lists snort org> wrote: Hello, I'm using Snort 2.9.13 on Centos7 with the registered Talos rules. With the default rules, Snort runs just fine but didn't raise many alerts so we decided to switch to the security-ips policy. When using the rules from this policy, Snort fails to start, displaying errors always linked to PCRE. Here is an example of what Snort says (shortened): snort -d -l /var/log/snort/ -c /etc/snort/snort.conf -k none Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ... ... Reputation config: WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: /etc/snort/rules/exploit-kit.rules(130) : pcre compile of "?java=[0-9]{2,6}$" failed at offset 0 : nothing to repeat Fatal Error, Quitting.. The rule in question, from exploit-kit.rules : alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT WebKit button column memory corruption attempt"; flow:to_ client,established; file_data; content:"-webkit-column-span"; fast_pattern; nocase; content:"document.documentElement.offsetTop"; d istance:0; pcre:"/(functions+(?P<function>[a-z0-9_-]+)()s*{.*?(?P<div>[a-z0-9_-]+)s* =s*document.createElement('div')x3b.*?(?P=div). style['-webkit-column-span']s*=s*'all'x3b.*?document.getElementById("(?P< button>[a-z0-9_-]+)").appendChild((?P=div))x3b.*?document. documentElement.offsetTopx3b.*?<body[^>]*?onloads*=s*"(?P=function)()"[^> ]*?>.*?<button[^>]*?ids*=s*"(?P=button)"[^>]*?styles*=s*"[ ^"]*?-webkit-column-widthx3a1px"[^>]*?>)|(<style>.*?{s*-webkit-column-spa nx3as*allx3b.*?functions+(?P<function2>[a-z0-9_-]+)()s*{.* ?(?P<div2>[a-z0-9_-]+)*s*=s*document.createElement('div')x3b.*?(?P<button 2>[a-z0-9_-]+)s*=s*document.createElement('button')x3b.*?d ocument.documentElement.appendChild((?P=button2))x3b.*?(?P=button2).appen dChild((?P=div2)).*?document.documentElement.offsetTopx3b) /smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54680; reference:cve,2012-152 0; classtype:attempted-user; sid:23805; rev:8;) I had PCRE 8.32 when it started, so updated it to PCRE 8.43 which seemed to be the most recent version, but the errors remain. I have put it through pcretest, and have the same error so the problem definitely comes from the PCRE pattern and not any other part of the rules. I have downloaded the rules directly from the snort.org website, and tried to download it again to check if it wasn't due to the file being corrupted while downloaded, but it's not. I tried to comment out this rule, but many more have similar problems, for example this other rule where the PCRE parser fails, also from exploit-kit.rules : alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit malicious jar download attempt"; flow: to_server,established; content:"?java="; fast_pattern:only; http_uri; pcre:"/?java=[0-9]{2,6}$/U"; flowbits:set,file.exploit_kit.ja r; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; referenc e:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve, 2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-e xploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:5; Some rules also work fine while containing PCRE patterns. Are the weird rules basing their PCRE patterns on another version of PCRE ? Or is the problem somewhere else ? Thank you _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: [Snort-users] PCRE problem with some security policy rules Russ Combs (rucombs) via Snort-sigs (Aug 02)