Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible FP 17363

From: "Weir, Jason" <jason.weir () nhrs org>
Date: Tue, 26 Oct 2010 10:53:42 -0400
James - that's good for now - what does the command you run oinkmaster
look like
 
Something like this
 
/usr/local/bin/oinkmaster.pl -C /usr/local/etc/oinkmaster.conf -o
/etc/snort/rules/
 
make sure the -o /path portion is the same place your snort.conf has for
var RULE_PATH
 
-J

        -----Original Message-----
        From: Lay, James [mailto:james.lay () wincofoods com] 
        Sent: Tuesday, October 26, 2010 10:48 AM
        To: snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] Possible FP 17363
        
        

        Thank you.

         

        Oinkmaster.conf:

         

        url =
http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-290
0.tar.gz

        url =
http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t
ar.gz

        path = /bin:/usr/bin:/usr/local/bin

        update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$

        skipfile local.rules

        skipfile deleted.rules

        skipfile snort.conf

        disablesid
100000137,2002751,485,2006380,2001569,2011346,2011347,2003195,2003601,20
03602,1390,1394,17246,17276,17297,17363

         

        The snort.conf file is kinda beefy...what's the best method to
put this online?  Thanks again.

         

        James

         

        From: Weir, Jason [mailto:jason.weir () nhrs org] 
        Sent: Tuesday, October 26, 2010 8:21 AM
        To: snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] Possible FP 17363

         

        have to see your oinkmaster.conf and snort.con

         

        -J

                -----Original Message-----
                From: Lay, James [mailto:james.lay () wincofoods com] 
                Sent: Tuesday, October 26, 2010 10:13 AM
                To: snort-sigs () lists sourceforge net
                Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363

                Hrmm....that's confusing then...oinkmaster says:

                 

                Loading /usr/local/etc/snort/oinkmaster.conf

                Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz... done.

                Archive successfully downloaded, unpacking... done.

                Downloading file from
http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t
ar.gz... done.

                Archive successfully downloaded, unpacking... done.

                Setting up rules structures... done.

                Processing downloaded rules... disabled 8, enabled 0,
modified 0, total=21693

                Setting up rules structures... done.

                Comparing new files to the old ones... done.

                Updating local rules files... done.

                 

                Yet:

                [08:11:48 me@ids:~/rules$] sudo grep 17363 *.rules

                web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS ->
$HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG volume name
memory corruption"; flow:to_client,established; content:"|4C 41 42 4C|";
byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy
security-ips drop, service http; reference:cve,2007-0197;
classtype:attempted-user; sid:17363; rev:1;)

                 

                Are rules not getting updated in 2900?  Or is my
oinkmaster not doing what it's supposed to do?  Thanks for any help.

                 

                James

                 

                From: Alex Kirk [mailto:akirk () sourcefire com] 
                Sent: Monday, October 25, 2010 10:44 AM
                To: rmkml
                Cc: Lay, James; snort-sigs () lists sourceforge net;
rmkml () free fr
                Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
                Importance: Low

                 

                Actually, this rule is currently at rev:3 - adding a
flowbit check and some additional bytes to the content match - due to
earlier false positive reports. If you get further FPs with the current
revision of the rule, please let us know.

                On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr>
wrote:

                Hi James,
                maybe for "small" reduce FP add "isdataat:255,relative;"
after byte_test()?
                another maybe null byte are separator? and instead
"isdataat:255,relative; content:!"|00|"; within:255;" ?
                Regards
                Rmkml
                
                PS:
http://www.securityfocus.com/archive/1/archive/1/456578/100/0/threaded

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: