[Snort-users] rules-db.pl try 2

Chris Green cmg at ...671...
Wed Jan 10 14:35:30 EST 2001


I ran them on both rh6.x with lots of updates and a almost vanilla rh
7.  It seemed to work fine on both machines.  I also thought there
might be a problem with perl or wget and LANG=es_ES so I tried.  Have
you tried removing the s/^M//?  that is my only guess as to whats
happening on your end.


If you'd mail me the output of while(<WGET>) { print $_; }, I'd
appreciate it.

Here's my tests:

export LANG=es_ES
./rules-db.pl and things worked as expected as well.

This is w/ perl 5.6.0 on a redhat 6.x box:

Snort Rules Additions since 01/01/2001:

alert tcp any any -> any 7597 (msg:"BACKDOOR SIGNATURE - LURHQ-03 - QAZ Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 73 71|";) 
alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; content:"acidphreak"; nocase;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - RETR 1MB - possible warez site"; flags:PA; content:"RETR 1MB"; nocase; depth: 8;) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - PING Speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; ) 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "NICK "; flags: AP; msg:"BETA - Possible IRC Access";) 
[ keeps going ]


This is perl-5.6.0-9 and wget-1.5.3-10 on redhat 7

Snort Rules Additions since 01/01/2001:

alert tcp any any -> any 7597 (msg:"BACKDOOR SIGNATURE - LURHQ-03 - QAZ Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 73 71|";) 
alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; content:"acidphreak"; nocase;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - RETR 1MB - possible warez site"; flags:PA; content:"RETR 1MB"; nocase; depth: 8;) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - PING Speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; ) 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "NICK "; flags: AP; msg:"BETA - Possible IRC Access";) 
[ keeps going ]


Victor Barahona <victor.barahona at ...700...> writes:

> On Wednesday 10 January 2001 19:27, Chris Green wrote:
> >Victor Barahona <victor.barahona at ...700...> writes:
> >> There is a little problem: all the rules are in one line. I will be
> >> bette= to add a carriage return.
> >
> >Your patch adds
> >
> >     $rules .="$_\n";
> >
> >This makes all the rules with one line of whitespace between them.  I
> >don't chomp the lines so there is still the newline from the original
> >cgi output.
> 
> Well something is going wrong then because thats what I get:
> 
> [root at ...701... barahona]# ./rules-db.pl
> Snort Rules Additions since 01/01/2001:
> 
> alert tcp any any -> any 7597 (msg:"BACKDOOR SIGNATURE - LURHQ-03 - QAZ 
> Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 
> 73 71|";) alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - 
> SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; 
> content:"acidphreak"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
> (msg:"BETA - RETR 1MB - possible warez site"; flags:PA; content:"RETR 
> 1MB"; nocase; depth: 8;) alert icmp $EXTERNAL_NET any -> $HOME_NET any 
> (msg:"BETA - PING Speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; 
> itype: 8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "NICK 
> "; flags: AP; msg:"BETA - Possible IRC Access";) alert tcp $HOME_NET any 
> -> $EXTERNAL_NET any (content: "User-Agent\:ICQ"; flags:AP; msg: "BETA - 
> ICQ 2000 Access";) alert icmp $EXTERNAL_NET any -> $HOME_NET any
> [much more]
> 
> I'm using RedHat 7, perl 5.6.0. What's happend? I don't know but I need 
> add the newline at the end.
> 
> [root at ...701... barahona]# ./rules-db.pl.patch
> 
> Snort Rules Additions since 01/01/2001:
> 
> alert tcp any any -> any 7597 (msg:"BACKDOOR SIGNATURE - LURHQ-03 - QAZ 
> Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 
> 73 71|";) alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - 
> SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; 
> content:"acidphreak"; nocase;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - RETR 1MB - 
> possible warez site"; flags:PA; content:"RETR 1MB"; nocase; depth: 8;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - PING Speedera"; 
> content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; )
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "NICK "; flags: AP; 
> msg:"BETA - Possible IRC Access";)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "User-Agent\:ICQ"; 
> flags:AP; msg: "BETA - ICQ 2000 Access";)
> [much more]
> 
> 
> >To test what output looks like, set
> >
> >my $days_ago = 9;
> 
> That was my first try but when I saw the "monster line" I try to fix it.
> 
> I don't know if this is happening just to me.
> 
> Cheers
> 
> -- 
> "Alone? you are not alone, Bigbrother is watching you"
> 
> ------------------------------------------------------------------------
> Soporte Seguridad en red........................http://www.utc.uam.es/ss
> Unidad Tecnica de Comunicaciones...................http://www.utc.uam.es
> Universidad Autonoma de Madrid.........................http://www.uam.es
> Tlf.- 91 397 5525                                      PGP ID-0x8750AB79
> ------------------------------------------------------------------------

-- 
Chris Green <cmg at ...671...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-users mailing list