Snort mailing list archives
Snort load error with rule sid 21349
From: Jon Larson <jon () catbird com>
Date: Wed, 28 Nov 2012 18:50:06 -0800
The latest server-other.rules file contains this rule: alert tcp $EXTERNAL_NET any -> $HOME_NET [1024,5555] (msg:"SERVER-OTHER HP OpenView Storage Data Protector stack overflow attempt"; flow:to_server,established; content:"|FF FE 32 00 36 00 37 00 00 00|"; depth:10; offset:4; isdataat:80,relative; pcre:"/^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})/R"; metadata:policy security-ips drop; reference:bugtraq,37250; reference:cve,2009-3844; reference:url,osvdb.org/60852; classtype:attempted-admin; sid:21349; rev:2;) I include this in my snort.conf. Then when I do "service snortd start" it fails and this error is in /var/log/messages: snort[8808]: FATAL ERROR: /opt/catbird/lib/snort/server-other.rules(382) : pcre compile of "^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})" failed at offset 243 : repeated subpattern is too long Here is the version information: sbin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.3 IPv6 GRE (Build 37) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3 Any and all help would be greatly appreciated! Jonny L. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort load error with rule sid 21349 Jon Larson (Nov 30)
- Re: Snort load error with rule sid 21349 Joel Esler (Nov 30)