Snort mailing list archives

RE: Flowbits

From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Tue, 24 Feb 2004 11:11:01 -0500
I did on a Solaris installation. I removed the flowbits section from the
rules just to get things going again. Not sure how to enable that
functionality yet.

Best regards,

Michael D. Peters




-----Original Message-----
From: Douglas McCrea [mailto:dmccrea () rutgers edu]
Sent: Tuesday, February 24, 2004 10:50 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Flowbits


I'm running Snort 2.1 on Windows 2000 and I'm getting the following
error after changing my ruleset to snortrules-snapshot-2_1.tar.gz from
current:

ERROR: Warning: ../rules/netbios.rules(30) => Unknown keyword '
flowbits' in rule!
Fatal Error, Quitting..

Here's the six new rules causing the problem:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
invalid bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
nocase; distance:5; within:12; content:"|05|"; distance:2; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|00|"; distance:21; within:1; classtype:attempted-dos;
sid:2191; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
ISystemActivator bind attempt"; flow:to_server,established;
content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1;
within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00
C0 00 00 00 00 00 00 46|"; distance:29; within:16;
flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert;
reference:cve,CAN-2003-0352; classtype:protocol-command-decode;
sid:2192; rev:2;)

alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC
ISystemActivator bind accept"; flow:from_server,established;
content:"|05|"; distance:0; within:1; content:"|0c|"; distance:1;
within:1; byte_test:1,&,1,0,relative; content:"|00 00|"; distance:33;
within:2; flowbits:isset,dce.isystemactivator.bind.attempt;
flowbits:set,dce.isystemactivator.bind; flowbits:noalert;
reference:cve,CAN-2003-0352; classtype:protocol-command-decode;
sid:2350; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
ISystemActivator path overflow attempt big endian";
flow:to_server,established; content:"|05|"; distance:0; within:1;
byte_test:1,<,16,3,relative; content:"|5c 00 5c 00|";
byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind;
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2352;
rev:1;)

alert tcp any any -> any 445 (msg:"NETBIOS SMB DCERPC print spool bind
attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 00
00 05 00 0b|"; distance:5; within:17; byte_test:1,&,16,1,relative;
content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|";
distance:29; within:16; flowbits:set,dce.printer.bind; flowbits:noalert;
classtype:protocol-command-decode; sid:2348; rev:1;)

alert tcp any any -> any 445 (msg:"NETBIOS DCE/RPC enumerate printers
request attempt"; flow:to_server,established; content:"|FF|SMB|25|";
nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2;
content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5;
within:12; content:"|05|"; distance:1; content:"|00|"; distance:1;
within:1; byte_test:1,&,3,0,relative; content:"|00 00|"; distance:19;
within:2; flowbits:isset,dce.printer.bind; classtype:attempted-recon;
sid:2349; rev:1;)

These rules were obtained from the snortrules-snapshot-2_1.tar.gz
ruleset. Is anyone else having problems with this?

Thanks

Doug


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Flowbits Douglas McCrea (Feb 24)
- <Possible follow-ups>
- RE: Flowbits Peters, Michael D. (Feb 24)
- Re: Flowbits Joe Matusiewicz (Feb 24)
- Re: flowbits adam (Feb 24)
  - Re: Re: flowbits Andreas Östling (Feb 24)
- RE: Re: flowbits Douglas McCrea (Feb 24)
- Re: flowbits adam (Feb 24)