[Snort-devel] Tag = Unknown Sig Name

Martin Olsson elof at ...969...
Wed Jan 14 06:16:04 EST 2004


Hi!

I have never used taging in my snort system, but on Dec 18 I downloaded
the snortrules-stable.tar.gz, which had the following rule:

netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS
DCERPC Remote Activation bind attempt"; content:"|05|"; distance:0;
within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20
AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets;
reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528;
reference:cve,CAN-2003-0605;  classtype:attempted-admin;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp;
sid:2251; rev:3;)

As you can see, there are a "tag:session,5,packets;" there.

This particular rule triggered very frequently on one of my sensors, and
my ACID for that sensor reported lot's of "Unknown Sig Name". After some
analyzing I found the tag option quoted above.



The database plugin do this check before logging the tagged packet:

SELECT sig_id FROM signature WHERE sig_name = '' AND sig_rev = 1 AND
sig_sid = 1

Look, the sig_name is empty, that's why ACID say "Unknown Sig Name".


My question:
Couldn't you set the sig_name to 'Tagged packet' or '${msg} (tag)' or
something like that for tagged packets? Then the operator using ACID
would understand what he is looking at.

What say you?

/Martin





More information about the Snort-devel mailing list