[Snort-sigs] Rule oddities in 1.8.1

Mike Baptiste mike at ...84...
Tue Aug 21 13:33:41 EDT 2001


I came across some rule syntax errors in 1.8.1 - mostly minor and 
ignoreed by snort, but I figured I'd highlight them so they can be 
updated in the next ruleset...

A number of rules have duplicate options, often for nocase, flags, and 
offset (my understanding from the docs is these are unique options)  I 
quick check showed they were often set to the same thing anyway:

*** WARNING! Rulset dns Line 10 multiple options of type offset
*** WARNING! Rulset dns Line 11 multiple options of type offset
*** WARNING! Rulset sql Line 14 multiple options of type offset
*** WARNING! Rulset info Line 7 multiple options of type flags
*** WARNING! Rulset info Line 8 multiple options of type flags
*** WARNING! Rulset info Line 10 multiple options of type flags
*** WARNING! Rulset info Line 11 multiple options of type flags
*** WARNING! Rulset info Line 12 multiple options of type flags
*** WARNING! Rulset web-cgi Line 9 multiple options of type nocase
*** WARNING! Rulset web-cgi Line 20 multiple options of type flags
*** WARNING! Rulset web-cgi Line 48 multiple options of type nocase
*** WARNING! Rulset web-cgi Line 86 multiple options of type flags
*** WARNING! Rulset web-cgi Line 99 multiple options of type nocase
*** WARNING! Rulset web-cgi Line 100 multiple options of type nocase
*** WARNING! Rulset web-misc Line 11 multiple options of type nocase
*** WARNING! Rulset web-misc Line 12 multiple options of type nocase
*** WARNING! Rulset web-misc Line 13 multiple options of type nocase
*** WARNING! Rulset web-misc Line 39 multiple options of type nocase
*** WARNING! Rulset web-misc Line 114 multiple options of type nocase

I also found a couple rules with duplicate Snort IDs - It was my 
understanding these should be unique...

Error: DBD::mysql::db do failed: Duplicate entry '1228-1.8.1' for key 1 
at ./rule_parse line 250, <RULES> line 189.
Error: DBD::mysql::db do failed: Duplicate entry '1257-1.8.1' for key 1 
at ./rule_parse line 250, <RULES> line 21.

Looking in the files I found the following:

[baptiste at ...85... scripts]$ grep 1257 rules/1.8.1/*.rules
rules/1.8.1/dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: 
"DOS Winnuke attck; flags: U+; reference: bugtraq,2010; 
reference:cve,CVE-1999-0153; classtype: attempted-dos; sid: 1257; rev:1;)
rules/1.8.1/web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
80 (msg: "WEB-IIS CodeRed v2 root.exe access"; flags: A+; 
uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin; sid: 
1257; rev: 1;)

[baptiste at ...85... scripts]$ grep 1228 rules/1.8.1/*.rules
rules/1.8.1/scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any 
(msg:"SCAN NMAP XMAS";flags:FPU; reference:arachnids,30; 
classtype:attempted-recon; sid:1228; rev:1;)
rules/1.8.1/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
80 (msg:"WEB-MISC SWEditServlet access"; uricontent:"/SWEditServlet"; 
flags:A+; classtype:attempted-recon; sid:1228; rev:1;)
[baptiste at ...85... scripts]$


Hope this helps!

Mike





More information about the Snort-sigs mailing list