[Snort-users] Broken rule set for 1.8.7

McCammon, Keith Keith.McCammon at ...3497...
Thu Jul 25 16:05:02 EDT 2002


Two classtypes, perhaps?

-----Original Message-----
From: Phil Wood [mailto:cpw at ...440...]
Sent: Thursday, July 25, 2002 6:19 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Broken rule set for 1.8.7




Folks,

  http://www.snort.org/dl/signatures/snortrules.tar.gz

contains a broken rule.  It is possible that snort will core dump (depends
on the OS) if this rule exists (doesn't have to trigger).

rules/web-cgi.rules:

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; classtype:web-application-activity; sid:885;  rev:5;)

I'll leave it to the reader to figure out what is wrong with the rule.

Later,

Phil


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list