[Snort-sigs] Bad range in Snort rules

Lukas Matt lukas.matt at ...525...
Mon Jan 13 09:32:56 EST 2014


Hi Alex, why do you removed them? I mean it is only a little change 
necessary to make them work correctly.

Regards,
Lukas


On 01/13/2014 03:24 PM, Alex McDonnell wrote:
> Hi Lukas.
>
> The rules in question were deleted the 13th of december and went out 
> in SEU: 1018 Date: 2013-12-17
>
> thanks
> Alex McDonnell
> VRT
>
>
> On Mon, Jan 13, 2014 at 8:52 AM, Lukas Matt <lukas.matt at ...525... 
> <mailto:lukas.matt at ...525...>> wrote:
>
>     Hi all, was there some progress regarding the bad range while
>     Christmas?
>
>     Cheers,
>     Lukas
>
>
>     On 12/16/2013 06:00 PM, Joel Esler (jesler) wrote:
>>     Lukas, yes, this will be fixed in an upcoming release.
>>
>>     --
>>     *Joel Esler*
>>     Intelligence Lead
>>     OpenSource Manager
>>     Vulnerability Research Team
>>     Jabber: jesler at ...3865... <mailto:jesler at ...3865...>
>>
>>     On Dec 16, 2013, at 5:12 AM, Lukas Matt <lukas.matt at ...525...
>>     <mailto:lukas.matt at ...525...>> wrote:
>>
>>>     Hey guys,
>>>
>>>     I ran into following error message "Bad range: 4294967296"
>>>     That affect rule 28519 and 28514. The problem here is following
>>>     part:
>>>
>>>         byte_test:4,>,4294967296,18,relative,little;
>>>
>>>     Under 32bit the maximum Int is 2^32-1 but in the rule you forgot
>>>     to subtract 1.
>>>     I checked also the documentation and the maximum for your
>>>     byte_test is 4294967295.
>>>
>>>     Could you double check that?
>>>
>>>     Cheers,
>>>     Lukas
>>>
>>>
>>>     -- 
>>>     Lukas Matt
>>>     Deep Packet Inspection Researcher, RnD
>>>
>>>     tel:+49-721-25516-322  <tel:%2B49-721-25516-322>, cell:+49-174-3440-555  <tel:%2B49-174-3440-555>
>>>
>>>     Sophos Technology GmbH
>>>     Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
>>>
>>>     SOPHOS Security made simple
>>>
>>>     ---
>>>     Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
>>>     Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
>>>     Executive Board: Nicholas Bray, Pino von Kienlin, Richard Walford, Joachim Frost, Günter Junk
>>>     ------------------------------------------------------------------------------
>>>     Rapidly troubleshoot problems before they affect your business.
>>>     Most IT
>>>     organizations don't have a clear picture of how application
>>>     performance
>>>     affects their revenue. With AppDynamics, you get 100% visibility
>>>     into your
>>>     Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>     AppDynamics Pro!
>>>     http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________
>>>     Snort-sigs mailing list
>>>     Snort-sigs at lists.sourceforge.net
>>>     <mailto:Snort-sigs at lists.sourceforge.net>
>>>     https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>     http://www.snort.org
>>>
>>>
>>>     Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
>     -- Lukas Matt Deep Packet Inspection Researcher, RnD tel:
>     +49-721-25516-322 <tel:%2B49-721-25516-322>, cell:
>     +49-174-3440-555 <tel:%2B49-174-3440-555>
>
>
>     Sophos Technology GmbH
>     Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
>
>     SOPHOS Security made simple
>
>     ---
>     Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
>     Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
>     Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
>
>
>     ------------------------------------------------------------------------------
>     CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>     Learn Why More Businesses Are Choosing CenturyLink Cloud For
>     Critical Workloads, Development Environments & Everything In Between.
>     Get a Quote or Start a Free Trial Today.
>     http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>     _______________________________________________
>     Snort-sigs mailing list
>     Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     http://www.snort.org
>
>
>     Please visit http://blog.snort.org for the latest news about Snort!
>
>


-- 
Lukas Matt
Deep Packet Inspection Researcher, RnD

tel: +49-721-25516-322, cell: +49-174-3440-555

Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany

SOPHOS Security made simple

---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140113/08dce5eb/attachment.html>


More information about the Snort-sigs mailing list