[Snort-devel] Snort 'asn1' bug

mike goudie mikegoudie at ...398...
Fri Aug 27 05:45:16 EDT 2004


Hello,

I way trying to update Snort on my box when I
discovered a possible bug that I came accross.

My actions were:
Download latest Snort.tar.gz and current-rules.tar.gz.
md5sum, everything is fine.
Re-install Snort(latest version), then I copied the
latest rules to /etc/snort/rules. I know, but... I
like them fresh.

Then /etc/init.d/snortd restart. 

ps -e|grep snort
 <nada>
and this error showed up in /var/log/messages

FATAL ERROR: Warning:
/etc/snort/rules/exploit.rules(79) =>
Unknown keyword ' asn1' in rule!

Not a big deal, just thought I'd let you know.

Regards,
Mike


-> Enabled in exploit.rules (2):
alert udp $EXTERNAL_NET any -> $HOME_NET 88
(msg:"EXPLOIT kerberos
principal name overflow UDP"; content:"|6A|"; depth:1;
content:"|01 A1|";
asn1:oversize_length 1024,relative_offset -1;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.tx
t;
classtype:attempted-admin; sid:2578; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 88
(msg:"EXPLOIT kerberos
principal name overflow TCP";
flow:to_server,established; content:"|6A|";
offset:4; depth:1; content:"|01 A1|";
asn1:oversize_length
1024,relative_offset -1;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.tx
t;
classtype:attempted-admin; sid:2579; rev:1;)

-> Enabled in netbios.rules (2):
alert tcp $EXTERNAL_NET any -> $HOME_NET 445
(msg:"NETBIOS SMB-DS
DCERPC NTLMSSP asn1 overflow attempt";
flow:to_server,established; content:"
|
FF|SMBs"; depth:5; offset:4; nocase;
byte_test:1,&,8,6,relative;
asn1:double_overflow, oversize_length 2048,
bitstring_overflow,relative_offset 54;
reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052;
classtype:attempted-admin; sid:2383; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg:"NETBIOS SMB DCERPC
NTLMSSP asn1 overflow attempt";
flow:to_server,established; content:"|FF|
SMBs"; depth:5; offset:4; nocase;
byte_test:1,&,8,6,relative;
asn1:double_overflow, oversize_length 2048,
bitstring_overflow,relative_offset 54;
reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052;
classtype:attempted-admin; sid:2382; rev:12;)


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 




More information about the Snort-devel mailing list