[Snort-sigs] Bad range in Snort rules

Alex McDonnell amcdonnell at ...435...
Mon Jan 13 12:54:50 EST 2014


Hey Lukas,

Further research indicated that those rules were not necessary to cover the
vuln.

thanks
Alex McDonnell
VRT



On Mon, Jan 13, 2014 at 9:32 AM, Lukas Matt <lukas.matt at ...525...> wrote:

>  Hi Alex, why do you removed them? I mean it is only a little change
> necessary to make them work correctly.
>
> Regards,
> Lukas
>
>
>
> On 01/13/2014 03:24 PM, Alex McDonnell wrote:
>
>  Hi Lukas.
>
>  The rules in question were deleted the 13th of december and went out in
> SEU: 1018 Date: 2013-12-17
>
>  thanks
> Alex McDonnell
> VRT
>
>
> On Mon, Jan 13, 2014 at 8:52 AM, Lukas Matt <lukas.matt at ...525...> wrote:
>
>>  Hi all, was there some progress regarding the bad range while Christmas?
>>
>> Cheers,
>> Lukas
>>
>>
>> On 12/16/2013 06:00 PM, Joel Esler (jesler) wrote:
>>
>> Lukas, yes, this will be fixed in an upcoming release.
>>
>>  --
>> *Joel Esler*
>> Intelligence Lead
>> OpenSource Manager
>> Vulnerability Research Team
>> Jabber: jesler at ...3865...
>>
>>  On Dec 16, 2013, at 5:12 AM, Lukas Matt <lukas.matt at ...525...> wrote:
>>
>>  Hey guys,
>>
>> I ran into following error message "Bad range: 4294967296"
>> That affect rule 28519 and 28514. The problem here is following part:
>>
>> byte_test:4,>,4294967296,18,relative,little;
>>
>> Under 32bit the maximum Int is 2^32-1 but in the rule you forgot to
>> subtract 1.
>> I checked also the documentation and the maximum for your byte_test is
>> 4294967295.
>>
>> Could you double check that?
>>
>> Cheers,
>> Lukas
>>
>>
>> --
>> Lukas Matt
>> Deep Packet Inspection Researcher, RnD
>>
>> tel: +49-721-25516-322, cell: +49-174-3440-555
>>
>> Sophos Technology GmbH
>> Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
>>
>> SOPHOS Security made simple
>>
>> ---
>> Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
>> Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
>> Executive Board: Nicholas Bray, Pino von Kienlin, Richard Walford, Joachim Frost, Günter Junk
>>
>> ------------------------------------------------------------------------------
>> Rapidly troubleshoot problems before they affect your business. Most IT
>> organizations don't have a clear picture of how application performance
>> affects their revenue. With AppDynamics, you get 100% visibility into
>> your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
>> Pro!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>>
>>
>>  --
>> Lukas Matt
>> Deep Packet Inspection Researcher, RnD
>>
>> tel: +49-721-25516-322, cell: +49-174-3440-555
>>
>>
>> Sophos Technology GmbH
>> Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
>>
>> SOPHOS Security made simple
>>
>> ---
>> Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
>> Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
>> Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
>>
>>
>>
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
>
> --
> Lukas Matt
> Deep Packet Inspection Researcher, RnD
>
> tel: +49-721-25516-322, cell: +49-174-3440-555
>
> Sophos Technology GmbH
> Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
>
> SOPHOS Security made simple
>
> ---
> Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140113/3d6369f2/attachment.html>


More information about the Snort-sigs mailing list