[Snort-users] RE: [Snort-sigs] Bug found when using "output database: log, mssql" in snort.conf

Joshua Berry jberry at ...11848...
Fri Jul 9 14:19:05 EDT 2004


I am not sure but the question marks might be throwing off a parser for
the DB plugin or might not be accepted as input (the column might be int
only).

Just make up a high number > 1000000 I think is the range you are
supposed to use.

-----Original Message-----
From: Joseph Gama [mailto:josephgama at ...131...] 
Sent: Friday, July 09, 2004 4:17 PM
To: Joshua Berry
Subject: RE: [Snort-sigs] Bug found when using "output database: log,
mssql" in snort.conf

Yes, should I make them up?

--- Joshua Berry <jberry at ...11848...> wrote:
> Are you really using question marks for the sid
> number?
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On
> Behalf Of Joseph Gama
> Sent: Friday, July 09, 2004 3:01 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Bug found when using "output
> database: log, mssql"
> in snort.conf
> 
> Hello everybody,
> 
> I am sorry for my persistence on trying to find what
> was wrong with a rule. I want to thank Matthew
> Jonkman
> and Matthew Watchinski for their help trying to
> figure
> it out. It happens that hte rule works fine when no
> database output is defined in snort.conf but when
> using "output database: log, mssql" it won't fire at
> all. I had MSSQL Profiler to detect what was
> happening
> and when sending the offending packet nothing was
> sent
> to MSSQL.
> 
> This rule works only when there is no database log:
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434
> (msg:"MS-SQL heap overflow attempt (0A3A31)";
> content:"|0A 3A 31|"; depth:3; reference:
> url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
> classtype:attempted-dos; sid:????; rev:0;) 
> 
> This rule works always:
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434
> (msg:"MS-SQL  (08)"; content:"|08|"; depth:1;
> reference:
> url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
> classtype:attempted-dos; sid:????; rev:0;) 
> 
> Thank you.
> 
> Peace,
> 
> Joseph Gama
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
> 
> 
>
-------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings &
> Training.
> Attend Black Hat Briefings & Training, Las Vegas
> July 24-29 - 
> digital self defense, top technical experts, no
> vendor pitches, 
> unmatched networking opportunities. Visit
> www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail




More information about the Snort-users mailing list