[Snort-users] Broken rule set for 1.8.7

Phil Wood cpw at ...440...
Thu Jul 25 16:26:05 EDT 2002


You guessed it!

The symptom on linux was that the actual text for the classtype (indexed
by classtype from the classification file) was missing and in its place
was the string " sid".

I'm fairly certain that another user thought that the classtype text in
the classification file was too long and causing a core dump, was the
result of the multiple classtype options for that one rule.  That rule
does not have to trigger, just one of the rules in the class "classtype".

I'd be interested if the MAC actually works, or their is some other innocuous
symptom similar to missing classification text.

Onward and upward,

On Thu, Jul 25, 2002 at 07:04:44PM -0400, McCammon, Keith wrote:
> Two classtypes, perhaps?
> 
> -----Original Message-----
> From: Phil Wood [mailto:cpw at ...440...]
> Sent: Thursday, July 25, 2002 6:19 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Broken rule set for 1.8.7
> 
> 
> 
> 
> Folks,
> 
>   http://www.snort.org/dl/signatures/snortrules.tar.gz
> 
> contains a broken rule.  It is possible that snort will core dump (depends
> on the OS) if this rule exists (doesn't have to trigger).
> 
> rules/web-cgi.rules:
> 
>   alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; classtype:web-application-activity; sid:885;  rev:5;)
> 
> I'll leave it to the reader to figure out what is wrong with the rule.
> 
> Later,
> 
> Phil
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list