[Snort-sigs] Unknown Sig Name error for 2252 in Acid

Mike Messick mikem at ...1951...
Fri Feb 27 12:31:06 EST 2004


Hi Jeffrey,

I've run into this in the past as well.  On the advice from a friend, I
removed the "tag:" parameter from all signatures in use, as it's not
currently compatible with the snort mysql database output plugin, and
results in the unknown signature name entries in the database.

Unfortunately you lose some logging capability, but at least you know
which rules are firing.

For more info on tag, check out:

http://www.snort.org/docs/snort_manual/node16.html#SECTION00375000000000000000


hope this helps,
-Mike.

==================================================================
Mike Messick           Dona nobis pacem          rm -rf /bin/laden
PGP Key Fingerprint:                       email: mikem at ...1952... 
2048/0x57318496 053B 412B 82FC 3808 E141  CDCD 74AE 01C5 5731 8496

On Fri, 27 Feb 2004 Jeffrey.R.Gauser at ...1486... wrote:

> I am experiencing Unknown Sig Name in ACID console.  I have checked the
> rule for any obvious errors in msg section.because I am getting the
> error in acid I do not know exactly which rule it is but have a good
> idea it is the following rule 2252 because it occurs every time it's
> sister rule 2251 occurs.
>  
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
> Remote Activation bind attempt"; flow:to_server,established;
> content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
> distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
> nocase; distance:5; within:12; content:"|05|"; distance:0; within:1;
> content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
> content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|";
> distance:29; within:16; tag:session,5,packets;
> classtype:attempted-admin; reference:cve,CAN-2003-0715;
> reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605;
> reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp;
> sid:2252; rev:3;)
>  
> The Sister rule (Which works correctly) is.
>  
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote
> Activation bind attempt"; flow:to_server,established;content:"|05|";
> distance:0; within:1; content:"|0b|"; distance:1; within:1;
> byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00
> 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets;
> reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528;
> reference:cve,CAN-2003-0605;  classtype:attempted-admin;
> reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp;
> sid:2251; rev:4;)
>  
> I have examined the MySQL database for corruption in the signature and
> reference tables and only find that sig_id is empty and other table like
> sig_rev have only 1 or incorrect data.  Has anyone else seen this issue
> before?
>  
> Regards,
> jeffrey.r.gauser at ...1486...
>  
> 





More information about the Snort-sigs mailing list