[Snort-sigs] sigs with asn1 fails

Eric Hines eric.hines at ...1663...
Wed Jul 28 09:57:02 EDT 2004


I was afraid we were the only ones seeing this. Last week one of our
customers complained that Snort wasn't starting due to the same ASN.1
keyword issue after running our update wizard. I verified that the file they
downloaded was snortrules-snapshot-2.1 but somehow they received the new
snort-2.2 rules in that tarball. 


Best Regards,


Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.
Direct: (877) 262-7593 x327


-----------------------------------------

Address: 4204 Commercial Way
         Glenview, IL 60025
         Toll Free: (877) 262-7593
         Fax: (877) 262-7593
         http://www.appliedwatch.com

-----------------------------------------





-----Original Message-----
From: Joshua Berry [mailto:jberry at ...2562...] 
Sent: Wednesday, July 28, 2004 8:45 AM
To: snort
Subject: RE: [Snort-sigs] sigs with asn1 fails

I update twice a day with oinkmaster pointed to
www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz and have not seen the
asn1 keyword in any of the rules I downloaded.  However, I tested
downloading www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz and it has
the keyword and so does
www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz

Maybe these people are using the CURRENT rules, or I just happen to be
downloading when they fix the problem every single time.

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Rocio Alfonso
Pita
Sent: Wednesday, July 28, 2004 4:03 AM
To: 'snort'
Subject: [Snort-sigs] sigs with asn1 fails

Hello,

  I update my snort rules with oinkmaster. Yesterday, snort did not start
after this update, giving  the following errors:

snort: FATAL ERROR: Warning: /var/oinkmaster/rules/exploit.rules(79) =>
Unknown keyword ' asn1' in rule!
snort: FATAL ERROR: Warning: /var/oinkmaster/rules/netbios.rules(115) =>

Unknown keyword ' asn1' in rule!

  Rules that I had to deactivate for snort to start (output oinkmaster):

Note: Oinkmaster is running in careful mode - not updating anything.

[***] Results from Oinkmaster started Wed Jul 28 10:48:34 2004 [***]

[+++]         Enabled rules:         [+++]

     -> Enabled in exploit.rules (2):
        alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos
principal name overflow UDP"; content:"|6A|"; depth:1; content:"|01
A1|";
asn1:oversize_length 1024,relative_offset -1;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-bu
f.txt;
classtype:attempted-admin; sid:2578; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos
principal name overflow TCP"; flow:to_server,established; content:"|6A|";
offset:4; depth:1; content:"|01 A1|"; asn1:oversize_length
1024,relative_offset -1;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-bu
f.txt;
classtype:attempted-admin; sid:2579; rev:1;)

     -> Enabled in netbios.rules (2):
        alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS
DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|
FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative;
asn1:double_overflow, oversize_length 2048,
bitstring_overflow,relative_offset 54; reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052;

classtype:attempted-admin; sid:2383; rev:12;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|FF| SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative;
asn1:double_overflow, oversize_length 2048,
bitstring_overflow,relative_offset 54; reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052;

classtype:attempted-admin; sid:2382; rev:12;)

[*] Non-rule line modifications: [*]
    None.

[*] Added files: [*]
    None.

  what is the problem in these sigs?
  
  Thanks and regards,
     rozio

PD: Aditional information:
Snort version: 2.1.2
Oinkmaster version: 1.0
Rules: http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list