[Snort-sigs] Duplicate reference entries for sig 2259

Sean Wheeler s.wheeler at ...944...
Sat Apr 3 01:26:02 EST 2004


Hi,

I am presently building a component which will dynamically assign rules
based on passive OS fingerprinted hosts.
Part of this process involves building a couple arrays and stats and
comparitive checks.... having
a look below you will notice some intresting/strangeness in the rules (2.1.1
latest snapshot

I am sending this in the hope it will aid our sig maintainers, if there are
any other stats you would like to see please pop me a mail as I am presently
doing plenty of this kind of thing.

Below is the analysis of a sig reconstruction from the DB, what the
reconstruction does is well rebuild the rule from the DB and then compare
the rule to the original rule which came from the snort rulebase.

In this case the intregity failed not because of a reconstruction failure
but because there is a duplicate entry for the reference entries.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow
attempt"; flow:to_server,established; content:"EXPN"; nocase;
pcre:"/^EXPN[^\n]{255,}/smi"; classtype:attempted-admin;
reference:cve,CAN-2003-0161; reference:bugtraq,7230;
reference:cve,CAN-2003-0161; reference:bugtraq,6991;
reference:cve,CAN-2002-1337; sid:2259; rev:1;)


reference:cve,CAN-2003-0161; reference:bugtraq,7230;
reference:cve,CAN-2003-0161; reference:bugtraq,6991;
reference:cve,CAN-2002-1337;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^


regards

Sean











output dump:

#ORIGIN BASE:   alert   tcp     external_net    any     ->      smtp_servers
25
#STAND GROUP:   alert   tcp     any             any     ->      home_net
25
#ALLOC GROUP:   alert   tcp     any             any     ->      $tcp_25
25
#ORIG SIG:      alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase;
pcre:"/^EXPN[^\n]{255,}/smi"; classtype:attem
pted-admin; reference:cve,CAN-2003-0161; reference:bugtraq,7230;
reference:cve,CAN-2003-0161; reference:bugtraq,6991;
reference:cve,CAN-2002-1337; sid:2259; rev:1;)

#ORIG SIG clean:322
#alerttcp$external_netany->$smtp_servers25(msg:"smtpexpnoverflowattempt";flo
w:to_server,established;content:"expn";nocase;pcre:"/^expn[^\n]{255,}/smi";c
lasstype:attempted-admin;reference:cve,can-2
003-0161;reference:bugtraq,7230;reference:cve,can-2003-0161;reference:bugtra
q,6991;reference:cve,can-2002-1337;sid:2259;rev:1;)

#RECON COMPARE:294
#alerttcp$external_netany->$smtp_servers25(msg:"smtpexpnoverflowattempt";cla
sstype:attempted-admin;sid:2259;rev:1;reference:bugtraq,6991;reference:bugtr
aq,7230;reference:cve,can-2002-1337;referenc
e:cve,can-2003-0161;content:"expn";nocase;pcre:"/^expn[^\n]{255,}/smi";flow:
to_server,established;)


INTEGRITY FAILURE:      alert tcp any any -> $tcp_25 25 (msg:"SMTP EXPN
overflow attempt"; classtype:attempted-admin; sid:2259; rev:1;
reference:bugtraq,6991; reference:bugtraq,7230; reference:cve
,CAN-2002-1337; reference:cve,CAN-2003-0161; content:"EXPN"; nocase;
pcre:"/^EXPN[^\n]{255,}/smi"; flow:to_server,established;)





More information about the Snort-sigs mailing list