Re: Broken rule set for 1.8.7

[Phil Wood <cpw () lanl gov>]

You guessed it!

The symptom on linux was that the actual text for the classtype (indexed
by classtype from the classification file) was missing and in its place
was the string " sid".

I'm fairly certain that another user thought that the classtype text in
the classification file was too long and causing a core dump, was the
result of the multiple classtype options for that one rule.  That rule
does not have to trigger, just one of the rules in the class "classtype".

I'd be interested if the MAC actually works, or their is some other innocuous
symptom similar to missing classification text.

Onward and upward,

On Thu, Jul 25, 2002 at 07:04:44PM -0400, McCammon, Keith wrote:
> Two classtypes, perhaps?
>
> -----Original Message-----
> From: Phil Wood [mailto:cpw () lanl gov]
> Sent: Thursday, July 25, 2002 6:19 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Broken rule set for 1.8.7
>
>
>
>
> Folks,
>
>   http://www.snort.org/dl/signatures/snortrules.tar.gz
>
> contains a broken rule.  It is possible that snort will core dump (depends
> on the OS) if this rule exists (doesn't have to trigger).
>
> rules/web-cgi.rules:
>
>   alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; 
> nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; 
> classtype:web-application-activity; classtype:web-application-activity; sid:885;  rev:5;)
>
> I'll leave it to the reader to figure out what is wrong with the rule.
>
> Later,
>
> Phil
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users