Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulledpork doesn't creates sid-msg.map properly

From: Shirkdog <shirkdog () gmail com>
Date: Mon, 13 Oct 2014 08:33:28 -0400
It is the age old issue of colons in the signature fields.

However, this is a specific suricata issue as the engine parses the keys as
they look in ascii and not the way snort signatures are written.

Put a bug in for this and we will take a look (or maybe someone has already
bugged it.)
On Oct 13, 2014 7:26 AM, "C. L. Martinez" <carlopmart () gmail com> wrote:


On Mon, Oct 13, 2014 at 11:03 AM, Rob MacGregor <rob.macgregor () gmail com>
wrote:

On 13 October 2014 10:27, C. L. Martinez <carlopmart () gmail com> wrote:


On Mon, Oct 13, 2014 at 8:27 AM, C. L. Martinez <carlopmart () gmail com>
wrote:

Hi all,

 After some days working with pulledpork for suricata 2.0.4 all works
ok until today.

 I have added the following rules in pulledpork's config file as a
local_rules:

 https://sslbl.abuse.ch/blacklist/sslblacklist.rules

 After that, sid-msg doesn't creates properly. For emergingthreats
rules works ok, but not for these last ones rules:

cat sid-msg.rules

2523264 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
633 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523266 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
634 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523268 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
635 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523270 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
636 || url,doc.emergingthreats.net/bin/view/Main/TorRules
3 || FILEEXT BMP file claimed
6 || FILESTORE jpg
648 || GPL SHELLCODE x86 NOOP || arachnids,181
653 || GPL SHELLCODE x86 0x90 unicode NOOP
8 || FILESTORE pdf
9 || FILEMAGIC pdf
902200008 ||
902200009 ||
902200035 ||
902200060 ||
902200062 ||
902200064 ||
902200081 ||
902200082 ||
902200125 ||
902200133 ||
902200134 ||
902200141 ||
902200148 ||
902200151 ||
902200178 ||
902200195 ||
902200209 ||
902200213 ||
902200241 ||
902200248 ||
902200381 ||
902200382 ||
902200383 ||

How can I fix this??




I've seen this where the message contains certain characters that

confused

the parser. I'm pretty sure it was the use of colons (":") in the message
that did it in my case.

--


Thanks Rob. I have tried it (colon is removed from the msg field now),
but same result:

cat Custom-sslblacklists.rules

alert tls any any -> any any (msg :"SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C&C)";
tls.fingerprint:"03:1b:9a:b1:15:b9:23:06:f8:ab:ee:8f:bb
:42:20:d2:86:cf:44:97"; sid:902200755; rev:1;)
alert tls any any -> any any (msg :"SSL Fingerprint Blacklist
Malicious SSL certificate detected (KINS C&C)";
tls.fingerprint:"04:3a:68:f0:48:e8:ce:74:70:ae:58:86:0c
:58:d2:58:79:66:8c:91"; sid:902200062; rev:1;)
alert tls any any -> any any (msg :"SSL Fingerprint Blacklist
Malicious SSL certificate detected (Spambot C&C)";
tls.fingerprint:"05:9e:0e:19:e3:67:bd:56:67:24:ae:49
:6d:fa:73:47:84:6b:b8:e6"; sid:902201397; rev:1;)
.............................................

in sid-msg.map:

2523258 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
630 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523260 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
631 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523262 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
632 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523264 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
633 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523266 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
634 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523268 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
635 || url,doc.emergingthreats.net/bin/view/Main/TorRules
2523270 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
636 || url,doc.emergingthreats.net/bin/view/Main/TorRules
3 || FILEEXT BMP file claimed
6 || FILESTORE jpg
648 || GPL SHELLCODE x86 NOOP || arachnids,181
653 || GPL SHELLCODE x86 0x90 unicode NOOP
8 || FILESTORE pdf
9 || FILEMAGIC pdf
902200008 ||
902200009 ||
902200035 ||
902200060 ||
902200062 ||
902200064 ||
902200081 ||
902200082 ||
902200125 ||

Uhmm ... but if the problem is with the colon in the fingerprint
filed, then I have a problem:))


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: