[Snort-sigs] sigs with asn1 fails

Jason security at ...704...
Wed Jul 28 06:20:04 EDT 2004


upgrade your snort to the 2.2RC1 release http://www.snort.org or stop 
following current for rules updates.



Rocio Alfonso Pita wrote:

> Hello,
> 
>   I update my snort rules with oinkmaster. Yesterday, snort did not start 
> after this update, giving  the following errors:
> 
> snort: FATAL ERROR: Warning: /var/oinkmaster/rules/exploit.rules(79) => 
> Unknown keyword ' asn1' in rule!
> snort: FATAL ERROR: Warning: /var/oinkmaster/rules/netbios.rules(115) => 
> Unknown keyword ' asn1' in rule!
> 
>   Rules that I had to deactivate for snort to start (output oinkmaster):
> 
> Note: Oinkmaster is running in careful mode - not updating anything.
> 
> [***] Results from Oinkmaster started Wed Jul 28 10:48:34 2004 [***]
> 
> [+++]         Enabled rules:         [+++]
> 
>      -> Enabled in exploit.rules (2):
>         alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos 
> principal name overflow UDP"; content:"|6A|"; depth:1; content:"|01 A1|"; 
> asn1:oversize_length 1024,relative_offset -1; 
> reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; 
> classtype:attempted-admin; sid:2578; rev:1;)
>         alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos 
> principal name overflow TCP"; flow:to_server,established; content:"|6A|"; 
> offset:4; depth:1; content:"|01 A1|"; asn1:oversize_length 
> 1024,relative_offset -1; 
> reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; 
> classtype:attempted-admin; sid:2579; rev:1;)
> 
>      -> Enabled in netbios.rules (2):
>         alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS 
> DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|
> FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; 
> asn1:double_overflow, oversize_length 2048, 
> bitstring_overflow,relative_offset 54; reference:bugtraq,9633; 
> reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
> classtype:attempted-admin; sid:2383; rev:12;)
>         alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC 
> NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|FF|
> SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; 
> asn1:double_overflow, oversize_length 2048, 
> bitstring_overflow,relative_offset 54; reference:bugtraq,9633; 
> reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
> classtype:attempted-admin; sid:2382; rev:12;)
> 
> [*] Non-rule line modifications: [*]
>     None.
> 
> [*] Added files: [*]
>     None.
> 
>   what is the problem in these sigs?
>   
>   Thanks and regards,
>      rozio
> 
> PD: Aditional information:
> Snort version: 2.1.2
> Oinkmaster version: 1.0 
> Rules: http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list