[Snort-devel] Snort 'asn1' bug

Martin Roesch roesch at ...402...
Fri Aug 27 06:33:23 EDT 2004


Sounds like you're not running the version of Snort you think you are.   
Is your snortd script pointing at the Snort 2.2.0 binary?

      -Marty

On Aug 25, 2004, at 1:10 PM, mike goudie wrote:

> Hello,
>
> I way trying to update Snort on my box when I
> discovered a possible bug that I came accross.
>
> My actions were:
> Download latest Snort.tar.gz and current-rules.tar.gz.
> md5sum, everything is fine.
> Re-install Snort(latest version), then I copied the
> latest rules to /etc/snort/rules. I know, but... I
> like them fresh.
>
> Then /etc/init.d/snortd restart.
>
> ps -e|grep snort
>  <nada>
> and this error showed up in /var/log/messages
>
> FATAL ERROR: Warning:
> /etc/snort/rules/exploit.rules(79) =>
> Unknown keyword ' asn1' in rule!
>
> Not a big deal, just thought I'd let you know.
>
> Regards,
> Mike
>
>
> -> Enabled in exploit.rules (2):
> alert udp $EXTERNAL_NET any -> $HOME_NET 88
> (msg:"EXPLOIT kerberos
> principal name overflow UDP"; content:"|6A|"; depth:1;
> content:"|01 A1|";
> asn1:oversize_length 1024,relative_offset -1;
> reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005- 
> buf.tx
> t;
> classtype:attempted-admin; sid:2578; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 88
> (msg:"EXPLOIT kerberos
> principal name overflow TCP";
> flow:to_server,established; content:"|6A|";
> offset:4; depth:1; content:"|01 A1|";
> asn1:oversize_length
> 1024,relative_offset -1;
> reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005- 
> buf.tx
> t;
> classtype:attempted-admin; sid:2579; rev:1;)
>
> -> Enabled in netbios.rules (2):
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445
> (msg:"NETBIOS SMB-DS
> DCERPC NTLMSSP asn1 overflow attempt";
> flow:to_server,established; content:"
> |
> FF|SMBs"; depth:5; offset:4; nocase;
> byte_test:1,&,8,6,relative;
> asn1:double_overflow, oversize_length 2048,
> bitstring_overflow,relative_offset 54;
> reference:bugtraq,9633;
> reference:bugtraq,9635; reference:cve,2003-0818;
> reference:nessus,12052;
> classtype:attempted-admin; sid:2383; rev:12;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139
> (msg:"NETBIOS SMB DCERPC
> NTLMSSP asn1 overflow attempt";
> flow:to_server,established; content:"|FF|
> SMBs"; depth:5; offset:4; nocase;
> byte_test:1,&,8,6,relative;
> asn1:double_overflow, oversize_length 2048,
> bitstring_overflow,relative_offset 54;
> reference:bugtraq,9633;
> reference:bugtraq,9635; reference:cve,2003-0818;
> reference:nessus,12052;
> classtype:attempted-admin; sid:2382; rev:12;)
>
>
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list