Snort mailing list archives

Re: Snort 2.0 rc1 Observations

From: Erek Adams <erek () snort org>
Date: Fri, 28 Mar 2003 10:02:39 -0500 (EST)

On Fri, 28 Mar 2003, Kenneth G. Arnold wrote:

I tried out Snort 2.0 rc1 yesterday on Solaris 9 and I noticed three
things.


[...snip...]

All three of your issues stem from one problem:

  You didn't update your rules from 1.9.x to 2.0rc1.

Here are the three SID's that you mention from the rc1 tarball.

  alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version
  request"; flow:to_server,established; content:"|00 04 93 F3|";
  offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4;
  classtype:rpc-portmap-decode; sid:1955; rev:3;)

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
  Cisco IOS HTTP configuration attempt"; uricontent:"/level/";
  uricontent:"/exec/"; flow:to_server,established;
  classtype:web-application-attack; reference:bugtraq,2936; sid:1250;
  rev:7;)

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
  Tomcat server snoop access"; flow:to_server,established;
  uricontent:"/jsp/snp/"; uricontent:".snp"; reference:cve,CAN-2000-0760;
  reference:bugtraq,1532; classtype:attempted-recon; sid:1108;  rev:8;)

No 'to_sever', no regex.  :)

Update your rules files to the most current version.  The rules files as
distributed with Snort are designed to be 'overwritten' by new versions.
Yes, I know people customize thier rules...  But that's where you have to
do a sitdown analysis and merge in your changes to the new rules.  Using
something like oinkmaster really helps with it.

To solve your problem:  Update your snort and your rules.  Then you should
be good to go.  Of course make a backup first--Just in case.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 2.0 rc1 available Martin Roesch (Mar 26)
- Re: Snort 2.0 rc1 available Rob Hughes (Mar 26)
  - Re: Snort 2.0 rc1 available Paul B. Poh (Mar 27)
    - Re: Snort 2.0 rc1 available Andrew R. Baker (Mar 27)
- Re: Snort 2.0 rc1 available Master Brian (Mar 27)
- Re: Snort 2.0 rc1 available Bennett Todd (Mar 27)
- Snort 2.0 rc1 performances jeremy chartier (Mar 28)
  - Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
    - Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
    - Re: Snort 2.0 rc1 Observations Kenneth G. Arnold (Mar 28)
    - Re: Snort 2.0 rc1 Observations Erek Adams (Mar 28)
    - Re: Snort 2.0 rc1 Observations Chris Green (Mar 31)
    - Snort 2.0 rc1 pass solved / now mysql problem Kenneth G. Arnold (Mar 31)
- snort decoder jeremy chartier (Mar 28)
  - Re: snort decoder Chris Green (Mar 28)
- <Possible follow-ups>
- RE: Snort 2.0 rc1 available Slighter, Tim (Mar 27)
  - Re: Snort 2.0 rc1 available Chris Green (Mar 31)