[Snort-sigs] snort rules and -CURRENT for 2.1.3

Xram_LraK kmx at ...2383...
Sun Jul 25 12:19:02 EDT 2004


hum......

As it stands right now.

snortrules-snapshot-2_1.tar.gz works for all version of 2.1.x. tested on
    a. 2.1.3
    b. 2.1.3RC1
    c. 2.1.2
    d. 2.1.1
    e. 2.1.1RC1
    f. 2.1.0

snortules-snapshot-2_2.tar.gz works for all version of 2.2.x tested on
    a. snort-2.2.0RC1

Now for the interesting part and the answers to your questions.

1. With the release of 2.1.1-RC1 the flowbits keyword was introduced 
which causes problems with the rule snapshots as the 
snortrules-snapshot-2_1.tar.gz needs to support all version of the 2.1.x 
series.  This means that rules in this snapshot don't contain the 
flowbits keywords. 

2.  The asn1 keyword is only supported in the 2.2.x series.  These rules 
shouldn't be popping up in the 2.1.x snapshots.  If they are this is a 
problem.  As it stands right now they don't.

3. The snort-current rule set tracks snort HEAD in cvs.  Currently it 
contains the same rules as are in the 2.2 snapshots as no new detection 
functionality has been added since the 2.2 RC1 release.  However, in the 
near future it could very well contain additional keywords or other 
detection functionality. 

Now for the complex part.

Since 2.1.1-RC1 supports flowbits but 2.1.0 does not, the 2.1.x snapshot 
doesn't contain flowbits rules.  This means if your running a version 
greater than 2.1.0 sync'ing rules from the SNORT_2_1 branch or using 
that snapshot doesn't have all the functionality you probably want, and 
the SNORT_2_2 snapshot contains some functionality you can't use (asn1). 

This makes things a little complicated for the people running version 
2.1.1RC1 and above as flowbits functionality is something your really 
want to use and the 2.1 rule snapshots don't have it. 

There are a couple possible solutions to this problem.
1. Upgrade to 2.2 and track the 2.2 ruleset (best option)
 
- OR -

Download the 2.2 snapshots remove sid 2382 and 2382 and replace them 
with the following

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP 
invalid mechtype attempt"; flow:to_server,established; 
content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; 
offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; 
content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 
05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
classtype:attempted-dos; sid:2382; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC 
NTLMSSP invalid mechtype attempt"; flow:to_server,established; 
content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; 
offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; 
content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 
05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
classtype:attempted-dos; sid:2383; rev:9;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP 
invalid mechlistMIC attempt"; flow:to_server,established; 
content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; 
offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; 
within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; 
distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
reference:nessus,12054; classtype:attempted-dos; sid:2384; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC 
NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; 
content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; 
offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; 
within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; 
distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
reference:nessus,12054; classtype:attempted-dos; sid:2385; rev:9;)

Also remove 2578 and 2579 which are asn1 only rules.

Cheers,
-matt

Eric Jacobsen wrote:

>
> Ok, no one answered me (or Krisa Rowland AFAIK) and things seems
> to have gotten worse on the download page.  I'll reply to my own
> message to try to solicit an official response.
>
> The download page presently features:
>
> snortrules-snapshot-CURRENT.tar.gz  for snort-CURRENT
> snortrules-snapshot-2_2.tar.gz for Snort-2.2
> snortrules-snapshot-2_1.tar.gz for Snort-2.1.x
> snortrules-snapshot-2_0.tar.gz for Snort-2.0.x
>
> However,
>
> (1) If snort 2.1.3 rules aren't compatible with Snort 2.1.x
>     where x<3, which rules are really in the 2.1 file?
>
> (2) As others have noted, asn: rules (which appear to be
>     a 2.2 only thing?) have started popping up in the 2.1
>     tarball (sids 2382,2383,2578,2579 in particular).
>
> (3) What, exactly, is snort-CURRENT now? 2.2.+ ??
>
> The download page (and this list) could really use some
> clarification.
>
> A little help please!
>
>
>
> Eric Jacobsen wrote:
>
>>
>> I hate to bring up a sore subject, but a few weeks back we
>> determined that:
>>
>> snortrules-snapshot-CURRENT.tar.gz was for snort 2.1.3
>> snortrules-snapshot-2_1.tar.gz was for snort 2.1.0 to 2.1.2
>> snortrules-snapshot-2_0.tar.gz was for snort 2.0.x
>>
>> If I want to set up a 2.1.3 system (now that it's official
>> and not a candidate) should I be syncing from the -CURRENT
>> or is that going to change to be [2.1.4 | 2.2.x] as soon as
>> those betas and rcs start, and you'll spawn yet another
>> snortrules-snapshot hierarchy for 2.1.3 people?
>>
>> Thanks!
>>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list