[Snort-sigs] Help

Chad Gross cgross at ...3257...
Mon Oct 30 21:59:00 EST 2006


My bad, sorry for the spam.

-----Original Message-----
From: Joel Esler [mailto:joel.esler at ...435...] 
Sent: Monday, October 23, 2006 6:09 PM
To: Chad Gross
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Help

Your subject says "help", however, i didn't see a question.

What did you need help with?

Joel

On Oct 22, 2006, at 10:39 PM, Chad Gross wrote:

>
>
> -----Original Message-----
> From: snort-sigs-bounces at lists.sourceforge.net
> [mailto:snort-sigs-bounces at lists.sourceforge.net] On Behalf Of
> snort-sigs-request at lists.sourceforge.net
> Sent: Thursday, October 19, 2006 7:49 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: Snort-sigs Digest, Vol 5, Issue 8
>
> Send Snort-sigs mailing list submissions to
> 	snort-sigs at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
> 	snort-sigs-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> 	snort-sigs-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
>
>
> Today's Topics:
>
>    1. Sourcefire VRT Certified Rules Update (Sourcefire VRT)
>    2. False Positive (Adam Clinch)
>    3. False postive SID 7100 (East, Bill)
>    4. Bleeding Edge Threats Daily Update  
> (bleeding at ...3254...)
>    5. Bleeding Edge Threats Daily Update  
> (bleeding at ...3254...)
>    6. Error in oracle rule... (Jay 'Whip' Grizzard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 18 Oct 2006 18:05:19 -0400
> From: Sourcefire VRT <research at ...435...>
> Subject: [Snort-sigs] Sourcefire VRT Certified Rules Update
> To: Snort Sigs <snort-sigs at lists.sourceforge.net>
> Message-ID: <4536A51F.9020008 at ...435...>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sourcefire VRT Certified Rules Update
>
> Synopsis:
> The Sourcefire VRT has added multiple rules in the spyware-put and
> backdoor categories to provide coverage for emerging spyware and  
> trojan
> horse threats. The VRT has also updated numerous rules in the FTP
> category to accommodate larger default values for FTP services,
> additionally reference information has been added and improved
> throughout the VRT Certified Rule Set.
>
>
> Details:
> As a result of ongoing research, the Sourcefire VRT has added multiple
> rules to the spyware and backdoor rule sets to provide coverage for
> emerging threats from these technologies.
>
> A number of rules in the FTP rule category have been updated to
> accommodate larger default values in some FTP services.
>
> The VRT has also updated and added reference information throughout  
> the
> entire Sourcefire VRT Certified Rule Set.
>
> For a complete list of new and modified rules:
>
> http://www.snort.org/rules/docs/ruleset_changelogs/ 
> changes-2006-10-18.ht
> ml
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFFNqUfMpm0ve0NhMcRAv9SAJ0QLYKWSfVWR2vU0/azL4Bowa/iDQCgooOa
> 3PR6taVgZFnVslLJYSTYEaU=
> =pGnz
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 29 Sep 2006 20:03:35 +1000
> From: Adam Clinch <adam.clinch at ...2420...>
> Subject: [Snort-sigs] False Positive
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <451CEF77.2040301 at ...2420...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id$
> #
> #
>
> Rule:
> spyware-put.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"SPYWARE-PUT Adware hxdl runtime detection - crypt user-agent";
> flow:to_server,established; content:"User-Agent|3A|"; nocase;
> content:"CryptRetrieveObjectByUrl|3A 3A|InetSchemeProvider";  
> distance:0;
> nocase;
> pcre:"/^User-Agent\x3A[^\r\n]+CryptRetrieveObjectByUrl\x3A 
> \x3AInetScheme
> Provider/smi";
> reference:url,www.spywareguide.com/product_show.php?id=516;
> reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079;
> classtype:misc-activity; sid:7555; rev:1;)
>
> --
> Sid:
> 7555
> --
> Summary:
>  This event is generated when activity relating to a spyware  
> application
> is detected.
> --
> Impact:
>  Unkown. Possible information disclosure, violation of privacy,  
> possible
> violation of policy.
> --
> Detailed Information:
>
> --
> Affected Systems:
>
> --
> Attack Scenarios:
>
> --
> Ease of Attack:
>
> --
> False Positives:
> Triggers on crl.microsoft.com
>
>
> source addr 	  dest addr   	Ver 	Hdr Len 	TOS 	length
> ID 	flags
> offset 	TTL 	chksum
> 147.10.195.135
> <http://192.168.0.254/acid/acid_stat_ipaddr.php? 
> ip=147.10.195.135&netmas
> k=32>
> 	131.107.115.28
> <http://192.168.0.254/acid/acid_stat_ipaddr.php? 
> ip=131.107.115.28&netmas
> k=32>
> 	4 	5 	0 	461 	15547 	0 	0 	64
> 44886
>
> 000 : 47 45 54 20 2F 70 6B 69 2F 63 72 6C 2F 70 72 6F   GET /pki/ 
> crl/pro
> 010 : 64 75 63 74 73 2F 43 6F 64 65 53 69 67 6E 50 43   ducts/ 
> CodeSignPC
> 020 : 41 2E 63 72 6C 20 48 54 54 50 2F 31 2E 30 0D 0A   A.crl HTTP/ 
> 1.0..
> 030 : 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65   Accept: */ 
> *..Use
> 040 : 72 2D 41 67 65 6E 74 3A 20 43 72 79 70 74 52 65   r-Agent:  
> CryptRe
> 050 : 74 72 69 65 76 65 4F 62 6A 65 63 74 42 79 55 72    
> trieveObjectByUr
> 060 : 6C 3A 3A 49 6E 65 74 53 63 68 65 6D 65 50 72 6F    
> l::InetSchemePro
> 070 : 76 69 64 65 72 0D 0A 48 6F 73 74 3A 20 63 72 6C    
> vider..Host: crl
> 080 : 2E 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 0D  
> 0A   .microsoft.com..
> 090 : 43 6F 6F 6B 69 65 3A 20 73 5F 6E 72 3D 31 31 35   Cookie:  
> s_nr=115
> 0a0 : 38 39 38 38 31 37 36 35 35 30 3B 20 57 54 5F 46   8988176550;  
> WT_F
> 0b0 : 50 43 3D 69 64 3D 31 34 37 2E 31 30 2E 31 39 35    
> PC=id=147.10.195
> 0c0 : 2E 31 33 35 2D 31 31 33 34 36 37 32 31 31 32 2E   . 
> 135-1134672112.
> 0d0 : 32 39 38 31 30 33 37 38 3A 6C 76 3D 31 31 35 38    
> 29810378:lv=1158
> 0e0 : 39 32 33 33 35 37 38 32 30 3A 73 73 3D 31 31 35    
> 923357820:ss=115
> 0f0 : 38 39 35 32 31 30 35 39 31 30 3B 20 4D 43 31 3D   8952105910;  
> MC1=
> 100 : 47 55 49 44 3D 39 30 62 34 38 64 36 39 61 63 64    
> GUID=90b48d69acd
> 110 : 66 32 65 34 64 61 39 34 61 63 38 63 66 32 33 34    
> f2e4da94ac8cf234
> 120 : 61 62 33 61 39 26 48 41 53 48 3D 36 39 38 64 26    
> ab3a9&HASH=698d&
> 130 : 4C 56 3D 32 30 30 36 39 26 56 3D 33 3B 20 41 3D    
> LV=20069&V=3; A=
> 140 : 49 26 49 3D 41 78 55 46 41 41 41 41 41 41 43 57    
> I&I=AxUFAAAAAACW
> 150 : 42 77 41 41 7A 53 39 42 54 35 4A 4A 2B 39 6A 34   BwAAzS9BT5JJ 
> +9j4
> 160 : 36 46 75 6C 6A 58 30 65 74 67 21 21 0D 0A 43 61    
> 6FuljX0etg!!..Ca
> 170 : 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D   che- 
> Control: no-
> 180 : 63 61 63 68 65 2C 20 6D 61 78 2D 61 67 65 3D 32   cache, max- 
> age=2
> 190 : 35 39 32 30 30 0D 0A 0D 0A                        59200....
>
>
> --
> False Negatives:
>
> --
> Corrective Action:
>
> --
> Contributors:
>
> -- 
> Additional References:
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://sourceforge.net/mailarchive/forum.php?forum=snort-sigs/ 
> attachment
> s/20060929/d1c0cb57/attachment.html
>
> ------------------------------
>
> Message: 3
> Date: Wed, 4 Oct 2006 09:51:50 -0400
> From: "East, Bill" <eastb at ...627...>
> Subject: [Snort-sigs] False postive SID 7100
> To: <snort-sigs at lists.sourceforge.net>
> Message-ID:
> 	<DB70207C75570343BD590F95BA86ADBC010D15E9 at ...3248...>
>
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id$
> #
> #
>
> Rule:  BACKDOOR mass connect 1.1 runtime detection - http
>
> --
> Sid: 7100
>
> --
> Summary:
>
> --
> Impact:
>
> --
> Detailed Information:
>
> --
> Affected Systems:
>
> --
> Attack Scenarios:
>
> --
> Ease of Attack:
>
> --
> False Positives: Numara Software, makers of TrackIt! audit software,
> also use the UtilMind useragent to pull down content. This is  
> sufficient
> to trigger the rule.
>
> --
> False Negatives:
>
> --
> Corrective Action:
>
> --
> Contributors:
>
> -- 
> Additional References:
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 17 Oct 2006 21:00:10 -0400 (EDT)
> From: bleeding at ...3254...
> Subject: [Snort-sigs] Bleeding Edge Threats Daily Update
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20061018010010.65F1A5502A1 at ...3098...>
> Content-Type: text/plain
>
>
> [***] Results from Oinkmaster started Tue Oct 17 21:00:10 2006 [***]
>
> [+++]          Added rules:          [+++]
>
>  2003118 - BLEEDING-EDGE VIRUS SHELLCODE Shikata Ga Nai polymorphic
> payload (bleeding-virus.rules)
>  2003119 - BLEEDING-EDGE VIRUS SHELLCODE ADMutate polymorphic payload
> (bleeding-virus.rules)
>  2003120 - BLEEDING-EDGE POLICY Possible Image Spam Inbound (3)
> (bleeding-policy.rules)
>  2003121 - BLEEDING-EDGE docs.google.com Activity
> (bleeding-policy.rules)
>  2003122 - BLEEDING-EDGE Possible docs.google.com Activity
> (bleeding-policy.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
> (bleeding-dshield.rules)
>  2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING
> (bleeding-dshield-BLOCK.rules)
>  2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)
> (bleeding-botcc.rules)
>  2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)
> (bleeding-botcc.rules)
>  2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)
> (bleeding-botcc.rules)
>  2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)
> (bleeding-botcc.rules)
>  2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)
> (bleeding-botcc.rules)
>  2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>
>
> [---]         Removed rules:         [---]
>
>  2003118 - BLEEDING-EDGE POLICY Possible Image Spam Inbound (3)
> (bleeding-policy.rules)
>
>
> [+++]      Added non-rule lines:     [+++]
>
>      -> Added to bleeding-policy.rules (1):
>         # Submitted 2006-10-17 by Adam Nunn
>
>      -> Added to bleeding-sid-msg.map (5):
>         2003118 || BLEEDING-EDGE VIRUS SHELLCODE Shikata Ga Nai
> polymorphic payload || url,toorcon.org/2006/conference.html?id=29
>         2003119 || BLEEDING-EDGE VIRUS SHELLCODE ADMutate polymorphic
> payload || url,toorcon.org/2006/conference.html?id=29
>         2003120 || BLEEDING-EDGE POLICY Possible Image Spam Inbound  
> (3)
>         2003121 || BLEEDING-EDGE docs.google.com Activity ||
> url,docs.google.com
>         2003122 || BLEEDING-EDGE Possible docs.google.com Activity ||
> url,docs.google.com
>
> [---]     Removed non-rule lines:    [---]
>
>      -> Removed from bleeding-sid-msg.map (1):
>         2003118 || BLEEDING-EDGE POLICY Possible Image Spam Inbound  
> (3)
>
>      -> Removed from bleeding-virus.rules (2):
>         #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING- 
> EDGE
> VIRUS SHELLCODE Shikata Ga Nai polymorphic payload";
> classtype:shellcode-detect; dsize: >26; content: "|d9 74 24 f4|";  
> pcre:
> "/[\x29\x2b\x31\x33]\xc9/sm"; pcre:
> "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d- 
> \x5f]/s
> m";  pcre:
> "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^ 
> \x00\
> xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^ 
> \x00]
> [^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43 
> \x46\x
> 47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0 
> \xc2\
> xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc] 
> [\x03\
> x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73 
> \x77\x
> 78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c 
> \x0e
> -\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31 
> \x33
> \xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^ 
> \x00][^
> \x00][^\x00][^\x00][\x24\
>
> xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf 
> \xd9]
> [^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53 
> \x55-\x5
> 8\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d 
> \x7e\
> xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc] 
> [\x03\x3
> 1\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b 
> \x6e-\
> x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea 
> \xeb
> \xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/ 
> sm";
> reference:url,toorcon.org/2006/conference.html?id=29; sid;2003118;
> rev:1;)
>         #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING- 
> EDGE
> VIRUS SHELLCODE ADMutate polymorphic payload";
> classtype:shellcode-detect; dsize: >45; content: "|e8|"; content: "|ff
> ff ff|"; distance: 1; within: 3; pcre:
> "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83 
> \xec
> \x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0 
> \x91))|((\
> x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.| 
> \x6a.
> \x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b 
> \x06\x0
> 9\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40 
> \x96).{0
> ,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96 
> \x40\x
> 96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9]. 
> {0,20}\
> xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm";
> reference:url,toorcon.org/2006/conference.html?id=29; sid;2003119;
> rev:1;)
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 18 Oct 2006 21:00:09 -0400 (EDT)
> From: bleeding at ...3254...
> Subject: [Snort-sigs] Bleeding Edge Threats Daily Update
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20061019010009.474F155026A at ...3098...>
> Content-Type: text/plain
>
>
> [***] Results from Oinkmaster started Wed Oct 18 21:00:07 2006 [***]
>
> [///]     Modified active rules:     [///]
>
>  2001850 - BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer
> Requested (1) (bleeding-malware.rules)
>  2002093 - BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer
> Requested (2) (bleeding-malware.rules)
>  2002697 - BLEEDING-EDGE EXPLOIT CVSTrac filediff Arbitrary Remote  
> Code
> Execution (bleeding-exploit.rules)
>  2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
> (bleeding-dshield.rules)
>  2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING
> (bleeding-dshield-BLOCK.rules)
>  2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)
> (bleeding-botcc.rules)
>  2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)
> (bleeding-botcc.rules)
>  2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)
> (bleeding-botcc.rules)
>  2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)
> (bleeding-botcc.rules)
>  2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)
> (bleeding-botcc.rules)
>  2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>  2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) -  
> BLOCKING
> SOURCE (bleeding-botcc-BLOCK.rules)
>
>
> [///]    Modified inactive rules:    [///]
>
>  2002692 - BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic -
> Possible Infected Host (bleeding.rules)
>
>
> [*] Non-rule line modifications: [*]
>     None.
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 22 Sep 2006 15:57:43 -0700
> From: Jay 'Whip' Grizzard <elfchief at ...3249...>
> Subject: [Snort-sigs] Error in oracle rule...
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20060922225743.GK7734 at ...3250...>
> Content-Type: text/plain; charset=us-ascii
>
> I'm not certain where the right place to send bug reports in rules to
> is,
> and haven't been able to find specific data, so I'll try here.
>
> I think that the oracle 'user name buffer overflow attempt' rule (sid
> 2650)
> is wrong and does not check for the correct string.
>
> It currently reads (relevant snippet):
>
> content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|";
> within:1000
>
> 0x28 = (
> 0x22 = "
>
> ... which is basically saying to match on the string "(user=" if  
> there's
> not
> a quote within the next thousand characters.
>
> What I think it's *supposed* to do is to match if there's not a  
> closing
> parenthesis within the next thousand characters, since the string used
> in actual requests is "(user=<username>)".
>
> So I think the rule should actually be (again, relevant snippet):
>
> content:"|28|user="; nocase; isdataat:1000,relative; content:!"|29|";
> within:1000
>
> Thanks for your attention.
>
> -jay
>
>
>
> ------------------------------
>
> ----------------------------------------------------------------------

> --
> -
> Using Tomcat but need to do more? Need to support web services,
> security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
>
> ------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> End of Snort-sigs Digest, Vol 5, Issue 8
> ****************************************
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.408 / Virus Database: 268.13.5/485 - Release Date:
> 10/19/2006
>
>
>
> -- 
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.408 / Virus Database: 268.13.9/490 - Release Date:
> 10/20/2006
>
>
>
> ----------------------------------------------------------------------

> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
        Snort - Open Source Network IPS/IDS -- http://www.snort.org
          gpg key: http://demo.sourcefire.com/jesler.pgp.key
            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+


-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.11/493 - Release Date:
10/23/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.17/505 - Release Date:
10/27/2006
 





More information about the Snort-sigs mailing list