[Snort-sigs] sid 1048, 284, 286, 666, and 661 Rule nits

William Stearns wstearns at ...157...
Sun Oct 28 16:55:01 EST 2001


Good day, Brian,
	Many thanks for the response - I appreciate your time.

On Wed, 24 Oct 2001, Brian wrote:

> According to William Stearns:
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Netscape
> > Enterprise directory listing attempt"; content:"INDEX " offset:0; depth:6;
> > flags:A+; reference:cve,CAN-2001-0250; reference:bugtraq,2285; classtype
> > :attempted-recon; sid:1048; rev:2;)
> >
> > 	there's a missing semicolon after "content:"INDEX "
>
> Was fixed a long time ago.

	Methinks I should grab CVS. :-)  Sorry about that.

> > snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 109
> > (msg:"EXPLOIT pop2 x86 linux overflow";flags: A+; content:"|eb2c 5b89 d980
> > c106 39d9 7c07 800 1|"; classtype:attempted-admin; sid:284; rev:1;)
> >
> > 	The hex content uses mispaired hex digits such as 800 1 ; perhaps
> > 80 01 would be more common usage?
>
> Agreed.  Fixed.
>
> > snortrules/exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110
> > (msg:"EXPLOIT pop3 x86 bsd overflow";flags: A+; content:"|5e0 e31c 0b03
> > b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:1;)
>
> what is wrong with this rule?

	It had the same issue as the previous one; mispaired hex digits
(5e0 and 9fa).

> > 	One final request, if I may.  sids 666 and 661 have quotes (' or
> > `) in the content field.  Would you consider putting the quote characters
> > in hex?  I have a particular tool that's trying to read the snort rules
> > and is having trouble with those.  :-(
>
> Hex makes things harder to read, so unless the parser requires it, I
> would prefer to avoid hex for human readability.

	Truth be told, I agree with you.  :-)  I'll do a little more head
scratching.
	Cheers,
	- Bill

---------------------------------------------------------------------------
	If you think the problem is bad now, just wait until we've solved it.
	-- Arthur Kasspe
(Courtesy of Steve Dodd <dirk at ...169...>)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...).  Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at:                http://www.pobox.com/~wstearns
LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com
--------------------------------------------------------------------------





More information about the Snort-sigs mailing list