[Snort-devel] Bug: mysql quoting in barnyard || sid-msg.map in snort

Jens Krabbenhoeft tschenz-snort-devel at ...1606...
Thu Nov 14 04:49:02 EST 2002


Hi all,

  it seems quoting parameters for mysql doesn't work properly in
barnyard (0.1.0-rc3). The error however that triggered that behaviour,
is an error in the snort-distribution.

snort.log:

[**] [1:975:8] WEB-IIS .asp::$DATA access [**]
[Classification: Web Application Attack] [Priority: 1] 
11/14-07:11:15.731864 a.b.c.d:3350 -> w.x.y.z:80
TCP TTL:105 TOS:0x0 ID:49419 IpLen:20 DgmLen:74 DF
***AP*** Seq: 0x4A41E436  Ack: 0xF5210136  Win: 0x2426  TcpLen: 20
[Xref => nessus 10362][Xref => cve CVE-1999-0278][Xref => url
support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806][Xref =>
bugtraq 149]

barnyard error:
Error (You have an error in your SQL syntax near
''support.microsoft.com/default.aspx?scid=kb\'' at line 1) executing
query: SELECT ref_id FROM reference WHERE ref_system_id=5 AND
ref_tag='support.microsoft.com/default.aspx?scid=kb\'
Fatal Error, Quitting..

rule:
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS .asp\:\:$DATA access"; flow:to_server,established;
uricontent:".asp|3a3a|$DATA"; nocase; reference:bugtraq,149;
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806;
reference:cve,CVE-1999-0278; reference:nessus,10362;
classtype:web-application-attack; sid:975; rev:8;)

sid-msg.map:
975 || WEB-IIS .asp\:\:$DATA access || cve,CVE-1999-0278 ||
url,support.microsoft.com/default.aspx?scid=kb\ || bugtraq,149

And there is the error. The sid-msg.map-generator used seems to have
problems parsing references (perhaps parsing msg too). It seems to stop
on "the next ;" although the ; is quoted correctly in the rule itself.
Although it's a sid-msg map error, it seems that quoting sql-statements
should be done in barnyard. Would make barnyard more stable.

I had a look at the regen-sidmap in the contrib-directory, and coded a
little regen-sidmap myself. Perhaps people might use this version, or
someone wants to try it/send bugreports/include it in the
snort-contrib/edit it, ...

BTW: parsing multiple-line-rules should work as in snort itself.
BTW: there are no sanity checks for the files: neither for those being
read (existing, readable) nor for hoste being written to (writeable,
symlink, ...)

I tested it, and it seems to work without any problems. 

Kind regards,

	Jens
-------------- next part --------------
#!/usr/bin/perl

# Copyright (c) 2002 Jens Krabbenhoeft <tschenz-snort at ...1681...>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or 
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, 
# but WITHOUT ANY WARRANTY; without even the implied warranty of 
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License 
# along with this program; if not, write to the Free Software 
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 

# regen-sidmap
#
# Regenerate the sig-msg.map.
# 
# USAGE:
# regen-sidmsg <rulefile> <rulefile> <rulefile>
#   e.g.: regen-sidmsg /etc/snort/rules/*.rules

use strict;

# configure the outputfile
my $SIDMSG = "/tmp/sid-msg.map";

die "Usage: $0 <rulefiles>\n" if ( $#ARGV == -1 );
die "Error: don't run as root\n" unless ($>);

open(SIDMSG,">$SIDMSG");
foreach my $_rulefile (@ARGV) {
    open(RULEFILE,"<$_rulefile");
    my $savedline = '';
    while(my $newline = <RULEFILE>) {
        # strip CR/LF
        chomp($newline);
        # strip leading/trailing space-characters
        $newline = trim_spaces($newline);
        # don't do anything if the line is empty or begins with # or ;
        next if ( $newline =~ /^$/ || $newline =~ /^#/ || $newline =~ /^;/ );
        # concat the lines
        $savedline .= $newline;
        # jump to the next line if the substitute of a \ at 
        # the end of the line succeeds
        next if $savedline =~ s/\\$//;

        # past here, there are only rule-lines

        # split at '(' -> rule head | rule options (with trailing ')')
        my ($_rulehead, $_ruleoptions) = map(trim_spaces($_),split(/\(/,$savedline,2));
        # strip leading/trailing brackets
        $_ruleoptions = trim_brackets($_ruleoptions);
        # get the different rule options (split on ; which are not preceded by a \)
        my @ruleoptions = map(trim_spaces($_),split(/(?<!\\);/,$_ruleoptions));
        my %sidmsg;
        foreach my $_option (@ruleoptions) {
            my ($key, $val) = split(/\s*:\s*/,$_option,2);
            if ( $val ) { $val =~ s/^"(.*?)"$/$1/; }
            push(@{$sidmsg{$key}},$val);
        }
        if ( exists $sidmsg{'sid'} && exists $sidmsg{'msg'} ) {
            print SIDMSG join(" || ",$sidmsg{'sid'}[0],$sidmsg{'msg'}[0],@{$sidmsg{'reference'}||[]}) . "\n"; 
        }
       $savedline = '';
  }
  close(RULEFILE);
}
close(SIDMSG);

exit 0;

sub trim_spaces {
    my $_line = shift;
    for ( $_line ) {
        s/^\s+//;
        s/\s+$//;
    }
    return $_line;
}

sub trim_brackets {
    my $_line = shift;
    for ( $_line ) {
        s/^\(//;
        s/\)$//;
    }
    return $_line;
}


More information about the Snort-devel mailing list