[Snort-sigs] sigs with asn1 fails

Rocio Alfonso Pita rozio at ...2670...
Wed Jul 28 02:04:18 EDT 2004


Hello,

  I update my snort rules with oinkmaster. Yesterday, snort did not start 
after this update, giving  the following errors:

snort: FATAL ERROR: Warning: /var/oinkmaster/rules/exploit.rules(79) => 
Unknown keyword ' asn1' in rule!
snort: FATAL ERROR: Warning: /var/oinkmaster/rules/netbios.rules(115) => 
Unknown keyword ' asn1' in rule!

  Rules that I had to deactivate for snort to start (output oinkmaster):

Note: Oinkmaster is running in careful mode - not updating anything.

[***] Results from Oinkmaster started Wed Jul 28 10:48:34 2004 [***]

[+++]         Enabled rules:         [+++]

     -> Enabled in exploit.rules (2):
        alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos 
principal name overflow UDP"; content:"|6A|"; depth:1; content:"|01 A1|"; 
asn1:oversize_length 1024,relative_offset -1; 
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; 
classtype:attempted-admin; sid:2578; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos 
principal name overflow TCP"; flow:to_server,established; content:"|6A|"; 
offset:4; depth:1; content:"|01 A1|"; asn1:oversize_length 
1024,relative_offset -1; 
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; 
classtype:attempted-admin; sid:2579; rev:1;)

     -> Enabled in netbios.rules (2):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS 
DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|
FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; 
asn1:double_overflow, oversize_length 2048, 
bitstring_overflow,relative_offset 54; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
classtype:attempted-admin; sid:2383; rev:12;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC 
NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|FF|
SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; 
asn1:double_overflow, oversize_length 2048, 
bitstring_overflow,relative_offset 54; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
classtype:attempted-admin; sid:2382; rev:12;)

[*] Non-rule line modifications: [*]
    None.

[*] Added files: [*]
    None.

  what is the problem in these sigs?
  
  Thanks and regards,
     rozio

PD: Aditional information:
Snort version: 2.1.2
Oinkmaster version: 1.0 
Rules: http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz




More information about the Snort-sigs mailing list