[Snort-sigs] Snort load error with rule sid 21349

Jon Larson jon at ...3752...
Wed Nov 28 21:50:06 EST 2012


The latest server-other.rules file contains this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET [1024,5555] (msg:"SERVER-OTHER 
HP OpenView Storage Data Protector stack overflow attempt"; 
flow:to_server,established; content:"|FF FE 32 00 36 00 37 00 00 00|"; 
depth:10; offset:4; isdataat:80,relative; 
pcre:"/^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})/R"; 
metadata:policy security-ips drop; reference:bugtraq,37250; 
reference:cve,2009-3844; reference:url,osvdb.org/60852; 
classtype:attempted-admin; sid:21349; rev:2;)

I include this in my snort.conf.  Then when I do "service snortd start" 
it fails and this error is in /var/log/messages:

snort[8808]: FATAL ERROR: /opt/catbird/lib/snort/server-other.rules(382) 
: pcre compile of 
"^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})" 
failed at offset 243 : repeated subpattern is too long

Here is the version information:
sbin/snort -V

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.3 IPv6 GRE (Build 37)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
            Using libpcap version 1.0.0
            Using PCRE version: 6.6 06-Feb-2006
            Using ZLIB version: 1.2.3

Any and all help would be greatly appreciated!
Jonny L.






More information about the Snort-sigs mailing list