[Snort-sigs] Rule format anomaly for sid 1024 & 1809

Sean Wheeler s.wheeler at ...944...
Sat Apr 3 10:53:05 EST 2004


Hi,

2 small anomalies below :

According to the documentation for reference syntax
(reference: <id system>,<id>; [reference: <id system>,<id>;])

there should be a white space between each reference option, below are 2
rules which are missing such a little innocent but errortating white space.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
newdsn.exe access";flow:to_server,established;
uricontent:"/scripts/tools/newdsn.exe";
nocase;reference:bugtraq,1818;reference:cve,CVE-1999-0191;
classtype:web-application-activity; sid:1024;  rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Apache Chunked-Encoding worm attempt"; flow:to_server,established;
content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079;reference:bugtraq,5033;
reference:cve,CAN-2002-0392; sid:1809; rev:2;)

------------------------------------


All you regex gurus see below ...got a solution to having the below and
resolving the above ?

extra detail :

I am parsing all the rules and splitting up the options and placing them
into a DB.

I use the regex :
ereg("reference:[ ]?([a-zA-Z]*)[ ]?,[ ]?([^;][^ ]*)", $mopts, $regs);

this works for references which contain a ";" within their url
( for example and the reason you can't use ";" as the end pointer for the
reference url)
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268;
in rule :

msg:"BAD-TRAFFIC 0 ttl"; ttl:0;
reference:url,www.isi.edu/in-notes/rfc1122.txt;
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268;
sid:1321; classtype:misc-activity; rev:6;

it also slices references which have " " in odd locations within the
reference option
(for example reference:cve ,CAN-1999-0885;)
in rule :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
alibaba.pl access"; flow:to_server,established; uricontent:"/alibaba.pl";
classtype:web-application-activity; reference:cve ,CAN-1999-0885; sid:1508;
rev:4;

and slices up a well formated references rule as expected

I am aware that it only catters for a single " " delimiter within the
reference options
-----------------
Some btw stuff for the sig maintainers:

bugtraq we know but bugtaq in sid 2126 ?

alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP
Start Control Request buffer overflow attempt";
flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2;
content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtaq,5807;
reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:2;

Sig's : 2260,2259,2178,2337,1480 contain multiple instances of the same
reference. ( see prior mails dated 03.04.2004)


regards

Sean









More information about the Snort-sigs mailing list