Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone else seeing lots of 129 20 this am?

From: James Lay via Snort-users <snort-users () lists snort org>
Date: Tue, 03 Sep 2019 12:12:51 -0600
Hrmmm...Joel my perception was that a properly configured pulled pork would keep everything updates...sid-msg.map, snort.rules proper, gen-msg.map, preprocessor rules...the works. Is this not the case? Thanks. 

James

On 2019-09-03 10:47, Joel Esler (jesler) wrote:

Sounds like you need to update your preprocessor.rules file?

Sent from my  iPhone


On Sep 3, 2019, at 12:25, Brian Cole <cole () echoworx com> wrote:





It turns out that both of these issues was caused by a Snort update
that was issued late last week.  I used PulledPork to download Snort
rule updates and the PP log shows the following for last Friday
morning:

-=Begin Changes Logged for Fri Aug 30 04:01:40 2019 GMT=-

New Rules

DECODE_AUTH_HDR_BAD_LEN (116:466)

DECODE_AUTH_HDR_TRUNC (116:465)

DECODE_FPATH_HDR_TRUNC (116:467)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50812)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50813)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50814)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50815)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50816)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50817)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50818)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50819)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50820)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50821)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50822)

FILE-OFFICE Microsoft Office Project file parsing arbitrary
memory access attempt (1:50823)

MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection
(1:50808)

MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection
(1:50809)

MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection
(1:50810)

MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection
(1:50800)

MALWARE-CNC Win.Trojan.SoftCell variant outbound connection
(1:50799)

MALWARE-OTHER Win.Backdoor.Agent inbound request attempt
(1:51368)

MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt
(1:50801)

MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt
(1:50802)

Unknown MSG (119:35)

Unknown MSG (120:12)

Unknown MSG (120:13)

Unknown MSG (120:14)

Unknown MSG (120:15)

Unknown MSG (120:16)

Unknown MSG (120:17)

Unknown MSG (120:18)

Unknown MSG (120:19)

Unknown MSG (120:20)

Unknown MSG (120:21)

Unknown MSG (120:22)

Unknown MSG (120:23)

Unknown MSG (120:24)

Unknown MSG (120:25)

Unknown MSG (120:26)

Unknown MSG (120:27)

Unknown MSG (120:28)

Unknown MSG (124:15)

UNKNOWN MSG (129:20)  <<<<<

Unknown MSG (133:58)

UNKNOWN MSG (133:59)  <<<<

And more…

So maybe a bad set of rules was released ?

…Brian

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: