Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [Snort-sigs] sigs with asn1 fails

From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 28 Jul 2004 10:13:28 -0500
Sorry, type in the email, that should have read that I tested the
CURRENT and 2_2 zipped files.

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Joshua
Berry
Sent: Wednesday, July 28, 2004 8:45 AM
To: snort
Subject: RE: [Snort-sigs] sigs with asn1 fails

I update twice a day with oinkmaster pointed to
www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz and have not seen
the asn1 keyword in any of the rules I downloaded.  However, I tested
downloading www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz and it
has the keyword and so does
www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz

Maybe these people are using the CURRENT rules, or I just happen to be
downloading when they fix the problem every single time.

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Rocio
Alfonso Pita
Sent: Wednesday, July 28, 2004 4:03 AM
To: 'snort'
Subject: [Snort-sigs] sigs with asn1 fails

Hello,

  I update my snort rules with oinkmaster. Yesterday, snort did not
start 
after this update, giving  the following errors:

snort: FATAL ERROR: Warning: /var/oinkmaster/rules/exploit.rules(79) => 
Unknown keyword ' asn1' in rule!
snort: FATAL ERROR: Warning: /var/oinkmaster/rules/netbios.rules(115) =>

Unknown keyword ' asn1' in rule!

  Rules that I had to deactivate for snort to start (output oinkmaster):

Note: Oinkmaster is running in careful mode - not updating anything.

[***] Results from Oinkmaster started Wed Jul 28 10:48:34 2004 [***]

[+++]         Enabled rules:         [+++]

     -> Enabled in exploit.rules (2):
        alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT
kerberos 
principal name overflow UDP"; content:"|6A|"; depth:1; content:"|01
A1|"; 
asn1:oversize_length 1024,relative_offset -1; 
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-bu
f.txt; 
classtype:attempted-admin; sid:2578; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT
kerberos 
principal name overflow TCP"; flow:to_server,established;
content:"|6A|"; 
offset:4; depth:1; content:"|01 A1|"; asn1:oversize_length 
1024,relative_offset -1; 
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-bu
f.txt; 
classtype:attempted-admin; sid:2579; rev:1;)

     -> Enabled in netbios.rules (2):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS
SMB-DS 
DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|
FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; 
asn1:double_overflow, oversize_length 2048, 
bitstring_overflow,relative_offset 54; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052;

classtype:attempted-admin; sid:2383; rev:12;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
DCERPC 
NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|FF|
SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; 
asn1:double_overflow, oversize_length 2048, 
bitstring_overflow,relative_offset 54; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052;

classtype:attempted-admin; sid:2382; rev:12;)

[*] Non-rule line modifications: [*]
    None.

[*] Added files: [*]
    None.

  what is the problem in these sigs?
  
  Thanks and regards,
     rozio

PD: Aditional information:
Snort version: 2.1.2
Oinkmaster version: 1.0 
Rules: http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: