[Snort-sigs] Error with current rules via oinkmaster [snortrules-current]

David A. Koran dak at ...1411...
Mon Nov 17 06:38:51 EST 2003


Looks like missing SIDs in the latest rpc.rules (I'm running snort-2.0.2 
on FreeBSD 4.9 if it matters)

Downloading rules archive from 
http://www.snort.org/dl/rules/snortrules-current.tar.gz...
10:45:39 URL:http://www.snort.org/dl/rules/snortrules-current.tar.gz 
[120430/120430] -> "/tmp/oinkmaster.86722/snortrules.tar.gz" [1]
Archive successfully downloaded, unpacking... done.
Disabling rules according to /usr/local/etc/oinkmaster.conf...
WARNING: I don't understand this rule in downloaded file rpc.rules 
(perhaps bad syntax or missing SID etc?):
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query 
with root credentials attempt TCP"; flow:to_server,established; 
content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01 00 00 
00 01|"; distance:4; within:8; byte_jump:4,8,relative,align; 
content:"|00 00 00 00|"; distance:0; within:4;)

WARNING: I don't understand this rule in downloaded file rpc.rules 
(perhaps bad syntax or missing SID etc?):
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query 
with root credentials attempt UDP"; content:"|00 01 87 88|"; offset:12; 
depth:4; content:"|00 00 00 01 00 00 00 01|"; distance:4; within:8; 
byte_jump:4,8,relative,align; content:"|00 00 00 00|"; distance:0; 
within:4;)






More information about the Snort-sigs mailing list