[Snort-sigs] Bleedingsnort.com Daily Update

Alex Kirk alex.kirk at ...435...
Tue Aug 17 05:56:05 EDT 2004


Graeme,

Certain characters have to be escaped out when they occur within a 
content-match. I know that you have to escape out "!" and ";", and I'm 
pretty sure you have to escape ")" or "(" as well. So the MyDoom.S rule 
should look something more like:

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM 
MyDoom.S Outbound"; content:"LOL\!\;\)\)\)\)"; nocase; 
content:"filename=photos arc.exe"; nocase; 
reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; 
reference:url,isc.sans.org/diary.php?date=2004-08-16; sid:2001196; rev:1;)

I'll find out what the exact list of characters that need escaping is 
and post it here later today...though I could have sworn I'd seen it on 
the Snort Manual up on Snort.org (may just be missing it due to lack of 
caffiene this morning). If it's not up there, I'll put in a bug here to 
have that list posted there.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>l don't know if anyone else had the same problem but when l loaded the
>signature for MYDOOM.s the semicolon on the content caused snort not to
>reload....
>l did a /usr/local/bin/snort -c snort.conf -o and it complained about the
>content not being enclosed in semi-colons...
>maybe it is the way l am doing it..any ideas???
>regard
>graeme
>
>-----Original Message-----
>From: matt at ...2436... [mailto:matt at ...2436...]
>Sent: Monday, 16 August 2004 11:05 PM
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] Bleedingsnort.com Daily Update
>
>
>Todays changes from Bleedingsnort.com:
>
>[***] Results from Oinkmaster started Mon Aug 16 08:05:20 2004 [***]
>
>[+++]          Added rules:          [+++]
>
>     -> Added to bleeding.rules (7):
>        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Width
>exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
>byte_test:4,>=,0x80000000,8,relative,big,string,hex;
>reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
>classtype:misc-activity; sid:2001191; rev:1;)
>        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero
>Width"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
>byte_test:4,=,0x00000000,8,relative,big,string,hex;
>reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
>classtype:misc-activity; sid:2001193; rev:1;)
>        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible
>integer overflow in allocation in png_handle_sPLT"; content:"|89 50 4E 47 0D
>0A 1A 0A|"; offset:0; depth:8; content:"sPLT"; isdataat:80,relative;
>content:!"|00|";
>distance:0;reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
>classtype:misc-activity; sid:2001195; rev:1;)
>        alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM
>MyDoom.S Outbound"; content:"LOL!;))))"; nocase;
>content:"filename=photos_arc.exe"; nocase;
>reference:url,www.f-secure.com/v-descs/mydoom_s.shtml;
>reference:url,isc.sans.org/diary.php?date=2004-08-16; sid:2001196; rev:1;)
>        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - zero
>Height"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
>byte_test:4,=,0x00000000,12,relative,big,string,hex;
>reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
>classtype:misc-activity; sid:2001194; rev:1;)
>        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Height
>exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8;
>byte_test:4,>=,0x80000000,12,relative,big,string,hex;
>reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
>classtype:misc-activity; sid:2001192; rev:1;)
>        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible
>NULL-pointer crash in png_handle_iCCP"; content:"|89 50 4E 47 0D 0A 1A 0A|";
>offset:0; depth:8; byte_test:4,>=,0x80000000,0,relative,big,string,hex;
>reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
>classtype:misc-activity; sid:2001190; rev:1;)
>
>[///]     Modified active rules:     [///]
>
>     -> Modified active in bleeding.rules (1):
>        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>(msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler";
>uricontent:"aim\:goaway?message=";
>reference:www.idefense.com/application/poi/display?id=121;
>classtype:misc-activity; sid:2001189; rev:2;)
>        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>(msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler";
>uricontent:"aim\:goaway?message=";
>reference:url,www.idefense.com/application/poi/display?id=121;
>classtype:misc-activity; sid:2001189; rev:3;)
>
>[+++]      Added non-rule lines:     [+++]
>
>     -> Added to bleeding-sid-msg.map (8):
>        2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI
>Handler || url,www.idefense.com/application/poi/display?id=121
>        2001190 || BLEEDING-EDGE libPNG - Possible NULL-pointer crash in
>png_handle_iCCP || url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>        2001191 || BLEEDING-EDGE libPNG - Width exceeds limit ||
>url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>        2001192 || BLEEDING-EDGE libPNG - Height exceeds limit ||
>url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>        2001193 || BLEEDING-EDGE libPNG - zero Width ||
>url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>        2001194 || BLEEDING-EDGE libPNG - zero Height ||
>url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>        2001195 || BLEEDING-EDGE libPNG - Possible integer overflow in
>allocation in png_handle_sPLT ||
>url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html
>        2001196 || BLEEDING-EDGE WORM MyDoom.S Outbound ||
>url,isc.sans.org/diary.php?date=2004-08-16 ||
>url,www.f-secure.com/v-descs/mydoom_s.shtml
>
>[---]     Removed non-rule lines:    [---]
>
>     -> Removed from bleeding-sid-msg.map (1):
>        2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI
>Handler || www.idefense.com/application/poi/display?id=121
>
>[*] Added files: [*]
>    None.
>
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>





More information about the Snort-sigs mailing list