[Snort-users] Garbled classification

Phil Wood cpw at ...440...
Tue Jun 5 11:07:03 EDT 2001


On Tue, Jun 05, 2001 at 09:56:29AM +0200, Ralf Hildebrandt wrote:
> With a snort CVS snapshot I get a garbled classification:
> 
> Jun  5 09:27:49 john snort: SHELLCODE x86 setgid 0 [Classification: ?)^Z^H?:^Z^H0?^]^H@   Priority: 10]: 62.157.136.80:443 -> 195.243.106.23:64965
> 

Modify these three rules and the problem goes away.  It is really a problem
with the parser which should exit on a bad rule.

policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:6669 (msg:"INFO Possible IRC Access"; flags: A+; content: "NICK "; classtype:not-suspicious; classtype:unknown;) 
policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP anonymous FTP"; content:"anonymous"; nocase; flags:A+; classtype:not-suspicious; classtype:not-suspicious;;) 
rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC snmpXdmi query";  rpc:100249,*,*; reference:bugtraq,2417; classtype:attempted-admin;classtype:attempted-recon;)

It is not fixed in cvs.

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list