[Snort-sigs] missing SIDs

SoloNet Newsfeed Processor newsfeed at ...1411...
Tue Nov 4 06:16:18 EST 2003


from today's pull... can we get SIDs on them?

%/usr/local/bin/oinkmaster -o /usr/local/share/snort/ -b
/usr/local/share/snort/backup/
Downloading rules archive from
http://www.snort.org/dl/rules/snortrules-current.tar.gz...
15:17:36 URL:http://www.snort.org/dl/rules/snortrules-current.tar.gz
[119360/119360] -> "/tmp/oinkmaster.17807/snortrules.tar.gz" [1]
Archive successfully downloaded, unpacking... done.
Disabling rules according to /usr/local/etc/oinkmaster.conf...
WARNING: I don't understand this rule in downloaded file
experimental.rules (perhaps bad syntax or missing SID etc?):
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan
traffic"; flags:S,12; window:55808;)

WARNING: I don't understand this rule in downloaded file rpc.rules
(perhaps bad syntax or missing SID etc?):
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with
root credentials attempt TCP"; flow:to_server,established; content:"|00 01
87 88|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 01|";
distance:4; within:8; byte_jump:4,8,relative,align; content:"|00 00 00
00|"; distance:0; within:4;)

WARNING: I don't understand this rule in downloaded file rpc.rules
(perhaps bad syntax or missing SID etc?):
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with
root credentials attempt UDP"; content:"|00 01 87 88|"; offset:12;
depth:4; content:"|00 00 00 01 00 00 00 01|"; distance:4; within:8;
byte_jump:4,8,relative,align; content:"|00 00 00 00|"; distance:0;
within:4;)
1 rules disabled.
Comparing new files to the old ones... done.
Creating backup of old rules... saved as
/usr/local/share/snort/backup/rules-backup-20031103-1517.tar.gz.

[***] Results from Oinkmaster started Mon Nov  3 15:17:46 2003 [***]

[*] Rules modifications: [*]
    None.

[*] Non-rule modifications: [*]
    None.

[+] Added files (consider updating your snort.conf to include them): [+]

    -> attack-responses.rules
    -> backdoor.rules
    -> bad-traffic.rules
    -> chat.rules
    -> ddos.rules
    -> deleted.rules
    -> dns.rules
    -> dos.rules
    -> experimental.rules
    -> exploit.rules
    -> finger.rules
    -> ftp.rules
    -> icmp-info.rules
    -> icmp.rules
    -> imap.rules
    -> info.rules
    -> misc.rules
    -> multimedia.rules
    -> mysql.rules
    -> netbios.rules
    -> nntp.rules
    -> oracle.rules
    -> other-ids.rules
    -> p2p.rules
    -> policy.rules
    -> pop2.rules
    -> pop3.rules
    -> porn.rules
    -> rpc.rules
    -> rservices.rules
    -> scan.rules
    -> shellcode.rules
    -> smtp.rules
    -> snmp.rules
    -> sql.rules
    -> telnet.rules
    -> tftp.rules
    -> virus.rules
    -> web-attacks.rules
    -> web-cgi.rules
    -> web-client.rules
    -> web-coldfusion.rules
    -> web-frontpage.rules
    -> web-iis.rules
    -> web-misc.rules
    -> web-php.rules
    -> x11.rules





More information about the Snort-sigs mailing list