[Snort-sigs] Unknown Sig Name error for 2252 in Acid

Jeffrey.R.Gauser at ...1486... Jeffrey.R.Gauser at ...1486...
Fri Feb 27 11:15:13 EST 2004


I am experiencing Unknown Sig Name in ACID console.  I have checked the
rule for any obvious errors in msg section.because I am getting the
error in acid I do not know exactly which rule it is but have a good
idea it is the following rule 2252 because it occurs every time it's
sister rule 2251 occurs.
 
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
Remote Activation bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
nocase; distance:5; within:12; content:"|05|"; distance:0; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|";
distance:29; within:16; tag:session,5,packets;
classtype:attempted-admin; reference:cve,CAN-2003-0715;
reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp;
sid:2252; rev:3;)
 
The Sister rule (Which works correctly) is.
 
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote
Activation bind attempt"; flow:to_server,established;content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00
20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets;
reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528;
reference:cve,CAN-2003-0605;  classtype:attempted-admin;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp;
sid:2251; rev:4;)
 
I have examined the MySQL database for corruption in the signature and
reference tables and only find that sig_id is empty and other table like
sig_rev have only 1 or incorrect data.  Has anyone else seen this issue
before?
 
Regards,
jeffrey.r.gauser at ...1486...
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040227/4cfa1167/attachment.html>


More information about the Snort-sigs mailing list