[Snort-users] How many offical sets and rules in current Snort?

jiangzhw2008 jiangzhw2008 at ...14518...
Fri Apr 10 03:45:56 EDT 2009


Dear all,
   How many offical sets and rules in current Snort? Thanks!
   Best regards!
    jiangzhw2008 at ...14518...



在2009-04-10?01:09:33,snort-users-request at lists.sourceforge.net?写道:
>Send?Snort-users?mailing?list?submissions?to
>	snort-users at lists.sourceforge.net
>
>To?subscribe?or?unsubscribe?via?the?World?Wide?Web,?visit
>	https://lists.sourceforge.net/lists/listinfo/snort-users
>or,?via?email,?send?a?message?with?subject?or?body?'help'?to
>	snort-users-request at lists.sourceforge.net
>
>You?can?reach?the?person?managing?the?list?at
>	snort-users-owner at lists.sourceforge.net
>
>When?replying,?please?edit?your?Subject?line?so?it?is?more?specific
>than?"Re:?Contents?of?Snort-users?digest..."
>
>
>Today's?Topics:
>
>???1.?Question?on?663?(Jack?Pepper)
>???2.?Re:?Question?on?663?(rmkml)
>???3.?Re:?Question?on?663?(Jack?Pepper)
>???4.?Re:?Question?on?663?(rmkml)
>???5.?Re:?Question?on?663?(Jack?Pepper)
>???6.?Re:?Question?on?663?-?solved?(Jack?Pepper)
>
>
>----------------------------------------------------------------------
>
>Message:?1
>Date:?Thu,?09?Apr?2009?10:13:38?-0500
>From:?Jack?Pepper?<pepperjack at ...14319...>
>Subject:?[Snort-users]?Question?on?663
>To:?snort-users at lists.sourceforge.net
>Message-ID:
>	<20090409101338.d2jrd7368cwwwksg at ...14320...>
>Content-Type:?text/plain;	charset=ISO-8859-1;	DelSp="Yes";
>	format="flowed"
>
>This?rule?looks?for?"RCPT?TO:?;"
>
>The?reference?to?cve,1999-0095?regards?sendmail?having?the?"debug"??
>command?enabled.?Ditto?for?the?bugtraq,1?reference.??And?arachnids?has??
>been?dead?for?at?least?5?years.
>
>Anybody?know?why?this?rule?exists???What?is?the?exploitation?of?RCPT?TO??
>
>jp
>
>
>
>
>
>--?
>
>Framework???I?don't?need?no?stinking?framework!
>
>----------------------------------------------------------------
>@fferent?Security?Labs:??Isolate/Insulate/Innovate??
>http://www.afferentsecurity.com
>
>
>
>
>------------------------------
>
>Message:?2
>Date:?Thu,?9?Apr?2009?17:38:31?+0200?(CEST)
>From:?rmkml?<rmkml at ...953...>
>Subject:?Re:?[Snort-users]?Question?on?663
>To:?Jack?Pepper?<pepperjack at ...14319...>
>Cc:?snort-users at lists.sourceforge.net
>Message-ID:?<alpine.LFD.2.00.0904091737580.2938 at ...173...>
>Content-Type:?TEXT/PLAIN;?format=flowed;?charset=US-ASCII
>
>Hi,
>maybe?look:
>??http://www.securityfocus.com/bid/1/exploit
>Regards
>Rmkml
>Crusoe-Researches.com
>
>
>On?Thu,?9?Apr?2009,?Jack?Pepper?wrote:
>
>>?This?rule?looks?for?"RCPT?TO:?;"
>>
>>?The?reference?to?cve,1999-0095?regards?sendmail?having?the?"debug"
>>?command?enabled.?Ditto?for?the?bugtraq,1?reference.??And?arachnids?has
>>?been?dead?for?at?least?5?years.
>>
>>?Anybody?know?why?this?rule?exists???What?is?the?exploitation?of?RCPT?TO??
>>
>>?jp
>>
>>
>>
>>
>>
>>?--?
>>
>>?Framework???I?don't?need?no?stinking?framework!
>>
>>?----------------------------------------------------------------
>>?@fferent?Security?Labs:??Isolate/Insulate/Innovate
>>?http://www.afferentsecurity.com
>>
>>
>>?------------------------------------------------------------------------------
>>?This?SF.net?email?is?sponsored?by:
>>?High?Quality?Requirements?in?a?Collaborative?Environment.
>>?Download?a?free?trial?of?Rational?Requirements?Composer?Now!
>>?http://p.sf.net/sfu/www-ibm-com
>>?_______________________________________________
>>?Snort-users?mailing?list
>>?Snort-users at lists.sourceforge.net
>>?Go?to?this?URL?to?change?user?options?or?unsubscribe:
>>?https://lists.sourceforge.net/lists/listinfo/snort-users
>>?Snort-users?list?archive:
>>?http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
>------------------------------
>
>Message:?3
>Date:?Thu,?09?Apr?2009?11:02:13?-0500
>From:?Jack?Pepper?<pepperjack at ...14319...>
>Subject:?Re:?[Snort-users]?Question?on?663
>To:?rmkml?<rmkml at ...953...>
>Cc:?snort-users at lists.sourceforge.net
>Message-ID:
>	<20090409110213.ws11n0347k844g0o at ...14320...>
>Content-Type:?text/plain;	charset=ISO-8859-1;	DelSp="Yes";
>	format="flowed"
>
>Quoting?rmkml?<rmkml at ...953...>:
>
>>?maybe?look:
>>??http://www.securityfocus.com/bid/1/exploit
>
>Yeah,?that's?kind?of?my?point,?eh???bugtraq?bid?1?is?not?an?exploit?in??
>RCPT,?it's?something?completely?different?involving?an?exploit?in?DEBUG.
>
>jp
>
>>?On?Thu,?9?Apr?2009,?Jack?Pepper?wrote:
>>
>>>?This?rule?looks?for?"RCPT?TO:?;"
>>>
>>>?The?reference?to?cve,1999-0095?regards?sendmail?having?the?"debug"
>>>?command?enabled.?Ditto?for?the?bugtraq,1?reference.??And?arachnids?has
>>>?been?dead?for?at?least?5?years.
>>>
>>>?Anybody?know?why?this?rule?exists???What?is?the?exploitation?of?RCPT?TO??
>>>
>>>?jp
>>>
>>>
>>>
>>>
>>>
>>>?--?
>>>
>>>?Framework???I?don't?need?no?stinking?framework!
>>>
>>>?----------------------------------------------------------------
>>>?@fferent?Security?Labs:??Isolate/Insulate/Innovate
>>>?http://www.afferentsecurity.com
>>>
>>>
>>>?------------------------------------------------------------------------------
>>>?This?SF.net?email?is?sponsored?by:
>>>?High?Quality?Requirements?in?a?Collaborative?Environment.
>>>?Download?a?free?trial?of?Rational?Requirements?Composer?Now!
>>>?http://p.sf.net/sfu/www-ibm-com
>>>?_______________________________________________
>>>?Snort-users?mailing?list
>>>?Snort-users at lists.sourceforge.net
>>>?Go?to?this?URL?to?change?user?options?or?unsubscribe:
>>>?https://lists.sourceforge.net/lists/listinfo/snort-users
>>>?Snort-users?list?archive:
>>>?http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>
>
>
>--?
>
>Framework???I?don't?need?no?stinking?framework!
>
>----------------------------------------------------------------
>@fferent?Security?Labs:??Isolate/Insulate/Innovate??
>http://www.afferentsecurity.com
>
>
>
>
>------------------------------
>
>Message:?4
>Date:?Thu,?9?Apr?2009?18:43:42?+0200?(CEST)
>From:?rmkml?<rmkml at ...953...>
>Subject:?Re:?[Snort-users]?Question?on?663
>To:?Jack?Pepper?<pepperjack at ...14319...>
>Cc:?snort-users at lists.sourceforge.net
>Message-ID:?<alpine.LFD.2.00.0904091842500.2938 at ...173...>
>Content-Type:?TEXT/PLAIN;?charset=US-ASCII;?format=flowed
>
>on?bid1?discuss:
>"Sendmail's?debug?mode?allows?the?recipient?of?an?email?message?to?be?a?
>program?that?runs?with?the?privileges?of?the?user?id?which?sendmail?is?
>running?under."
>Regards
>Rmkml
>Crusoe-Researches.com
>
>
>On?Thu,?9?Apr?2009,?Jack?Pepper?wrote:
>
>>?Quoting?rmkml?<rmkml at ...953...>:
>>
>>>?maybe?look:
>>>?http://www.securityfocus.com/bid/1/exploit
>>
>>?Yeah,?that's?kind?of?my?point,?eh???bugtraq?bid?1?is?not?an?exploit?in?RCPT,?
>>?it's?something?completely?different?involving?an?exploit?in?DEBUG.
>>
>>?jp
>>
>>>?On?Thu,?9?Apr?2009,?Jack?Pepper?wrote:
>>>?
>>>>?This?rule?looks?for?"RCPT?TO:?;"
>>>>?
>>>>?The?reference?to?cve,1999-0095?regards?sendmail?having?the?"debug"
>>>>?command?enabled.?Ditto?for?the?bugtraq,1?reference.??And?arachnids?has
>>>>?been?dead?for?at?least?5?years.
>>>>?
>>>>?Anybody?know?why?this?rule?exists???What?is?the?exploitation?of?RCPT?TO??
>>>>?
>>>>?jp
>>>>?
>>>>?
>>>>?
>>>>?
>>>>?
>>>>?--?
>>>>?
>>>>?Framework???I?don't?need?no?stinking?framework!
>>>>?
>>>>?----------------------------------------------------------------
>>>>?@fferent?Security?Labs:??Isolate/Insulate/Innovate
>>>>?http://www.afferentsecurity.com
>>>>?
>>>>?
>>>>?------------------------------------------------------------------------------
>>>>?This?SF.net?email?is?sponsored?by:
>>>>?High?Quality?Requirements?in?a?Collaborative?Environment.
>>>>?Download?a?free?trial?of?Rational?Requirements?Composer?Now!
>>>>?http://p.sf.net/sfu/www-ibm-com
>>>>?_______________________________________________
>>>>?Snort-users?mailing?list
>>>>?Snort-users at lists.sourceforge.net
>>>>?Go?to?this?URL?to?change?user?options?or?unsubscribe:
>>>>?https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>?Snort-users?list?archive:
>>>>?http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>?
>>
>>
>>
>>?--?
>>
>>?Framework???I?don't?need?no?stinking?framework!
>>
>>?----------------------------------------------------------------
>>?@fferent?Security?Labs:??Isolate/Insulate/Innovate?
>>?http://www.afferentsecurity.com
>>
>
>
>
>------------------------------
>
>Message:?5
>Date:?Thu,?09?Apr?2009?12:04:39?-0500
>From:?Jack?Pepper?<pepperjack at ...14319...>
>Subject:?Re:?[Snort-users]?Question?on?663
>To:?rmkml?<rmkml at ...953...>
>Cc:?snort-users at lists.sourceforge.net
>Message-ID:
>	<20090409120439.62m67nxegcog4ogk at ...14320...>
>Content-Type:?text/plain;	charset=ISO-8859-1;	DelSp="Yes";
>	format="flowed"
>
>Quoting?rmkml?<rmkml at ...953...>:
>
>>?on?bid1?discuss:
>>?"Sendmail's?debug?mode?allows?the?recipient?of?an?email?message?to??
>>?be?a?program?that?runs?with?the?privileges?of?the?user?id?which??
>>?sendmail?is?running?under."
>
>right.??i?got?that.??bugtraq?bid?1?discusses?the?case?where?sendmail??
>has?been?compiled?with?the?debug?option?enabled?and?some?outside?user??
>is?trying?to?access?sendmail's?"debug"?command.??got?it.
>
>so?back?to?sid?663:
>
>alert?tcp?$EXTERNAL_NET?any?->?$SMTP_SERVERS?25?(msg:"SMTP?rcpt?to??
>command?attempt";?flow:to_server,established;?content:"rcpt?to|3A|";??
>nocase;?pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi";?metadata:service?smtp;??
>reference:arachnids,172;?reference:bugtraq,1;?reference:cve,1999-0095;??
>classtype:attempted-admin;?sid:663;?rev:15;)
>
>this?rule?is?*not*?about?debug.??it?does?not?detect?someone?using?the??
>"debug"?command.??this?rule?is?about?something?else?entirely.??the??
>references?are?probably?incorrect.??but?i?can?find?nothing?on?bugtraq??
>about?a?sendmail?exploit?using?the?RCPT?TO?command.
>
>Back?in?the?arachnid?days?(this?from?august?of?2002),?sid=663?looked??
>like?this:
>
>alert?tcp?$EXTERNAL_NET?any?->?$SMTP_SERVERS?25?(msg:"SMTP?sendmail??
>5.5.8?overflow";?flow:to_server,established;?content:?"|7c?73?65?64?20??
>2d?65?20?27?31?2c?2f?5e?24?2f?27|";??reference:arachnids,172;??
>reference:cve,CVE-1999-0095;?classtype:attempted-admin;?sid:663;?rev:4;)
>
>so?maybe?this?rule?has?never?been?right.
>
>
>jp
>
>
>
>
>
>
>
>>
>>?On?Thu,?9?Apr?2009,?Jack?Pepper?wrote:
>>
>>>?Quoting?rmkml?<rmkml at ...953...>:
>>>
>>>>?maybe?look:
>>>>?http://www.securityfocus.com/bid/1/exploit
>>>
>>>?Yeah,?that's?kind?of?my?point,?eh???bugtraq?bid?1?is?not?an?exploit??
>>>?in?RCPT,?it's?something?completely?different?involving?an?exploit??
>>>?in?DEBUG.
>>>
>>>?jp
>>>
>>>>?On?Thu,?9?Apr?2009,?Jack?Pepper?wrote:
>>>>
>>>>>?This?rule?looks?for?"RCPT?TO:?;"
>>>>>
>>>>>?The?reference?to?cve,1999-0095?regards?sendmail?having?the?"debug"
>>>>>?command?enabled.?Ditto?for?the?bugtraq,1?reference.??And?arachnids?has
>>>>>?been?dead?for?at?least?5?years.
>>>>>
>>>>>?Anybody?know?why?this?rule?exists???What?is?the?exploitation?of?RCPT?TO??
>>>>>
>>>>>?jp
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>?--?
>>>>>
>>>>>?Framework???I?don't?need?no?stinking?framework!
>>>>>
>>>>>?----------------------------------------------------------------
>>>>>?@fferent?Security?Labs:??Isolate/Insulate/Innovate
>>>>>?http://www.afferentsecurity.com
>>>>>
>>>>>
>>>>>?------------------------------------------------------------------------------
>>>>>?This?SF.net?email?is?sponsored?by:
>>>>>?High?Quality?Requirements?in?a?Collaborative?Environment.
>>>>>?Download?a?free?trial?of?Rational?Requirements?Composer?Now!
>>>>>?http://p.sf.net/sfu/www-ibm-com
>>>>>?_______________________________________________
>>>>>?Snort-users?mailing?list
>>>>>?Snort-users at lists.sourceforge.net
>>>>>?Go?to?this?URL?to?change?user?options?or?unsubscribe:
>>>>>?https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>?Snort-users?list?archive:
>>>>>?http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>
>>>
>>>
>>>?--?
>>>
>>>?Framework???I?don't?need?no?stinking?framework!
>>>
>>>?----------------------------------------------------------------
>>>?@fferent?Security?Labs:??Isolate/Insulate/Innovate??
>>>?http://www.afferentsecurity.com
>>>
>
>
>
>--?
>
>Framework???I?don't?need?no?stinking?framework!
>
>----------------------------------------------------------------
>@fferent?Security?Labs:??Isolate/Insulate/Innovate??
>http://www.afferentsecurity.com
>
>
>
>
>------------------------------
>
>Message:?6
>Date:?Thu,?09?Apr?2009?12:09:27?-0500
>From:?Jack?Pepper?<pepperjack at ...14319...>
>Subject:?Re:?[Snort-users]?Question?on?663?-?solved
>To:?rmkml?<rmkml at ...953...>
>Cc:?snort-users at lists.sourceforge.net
>Message-ID:
>	<20090409120927.9czdc4m3fkk0cc04 at ...14320...>
>Content-Type:?text/plain;	charset=ISO-8859-1;	DelSp="Yes";
>	format="flowed"
>
>ok,?so?i?will?rudely?answer?my?own?post,?but?only?so?that?the?thread??
>ends?with?a?resolution,?rather?than?ending?with?"we?all?lost?interest".
>
>Here?is?the?description?from?arachnids:
>
>Rule:
>
>--
>Sid:
>663
>
>--
>Summary:
>This?event?is?generated?when?the?string?"|sed?-e?'1,/^$/'"?is?found?in??
>the?payload?of?a?packet?sent?to?a?Sendmail?server.??This?may?be?an??
>attempt?to?exploit?a?problem?in?older?versions?of?Sendmail.
>
>--
>Impact:
>Attempted?administrator?access.??A?successful?attack?can?allow?remote??
>execution?of?commands?at?the?privilege?level?of?Sendmail,?usually?root.
>
>--
>Detailed?Information:
>A?vulnerability?exists?in?older?versions?of?Sendmail?associated?with??
>the?debug?mode.??Malformed?text?specifying?the?recipient?could?be?a??
>command?that?would?execute?at?the?privilege?level?of?Sendmail,?often??
>times?root.??The?"sed"?command?is?used?to?strip?off?the?mail?headers??
>before?executing?the?supplied?command.??This?vulnerability?was??
>exploited?by?the?Morris?worm.
>
>--
>Affected?Systems:
>Sendmail?versions?prior?to?5.5.9.
>
>--
>Attack?Scenarios:
>An?attacker?can?craft?a?recipient?name?that?is?a?command.?This?command??
>executes?arbitrary?code?on?the?server.
>
>--
>Ease?of?Attack:
>Easy.??An?attacker?can?telnet?to?port?25?of?a?vulnerable?server,?enter??
>debug?mode,?and?craft?a?malicious?recipient?containing?a?command?to?be??
>executed.
>
>--
>False?Positives:
>It?is?possible?that?this?event?may?be?generated?by?text?in?the?DATA??
>section?of?a?pipelined?SMTP?transaction.
>
>--
>False?Negatives:
>This?rule?generates?an?event?based?on?a?specific?string?in?the?packet??
>payload.??An?attacker?could?craft?payloads?with?other?malicious??
>commands.
>
>--
>Corrective?Action:
>Upgrade?to?Sendmail?version?5.5.9?or?higher.
>
>--
>Contributors:
>Original?rule?written?by?Max?Vision?<vision at ...4...>
>Modified?by?Brian?Caswell?<bmc at ...1935...>
>Sourcefire?Research?Team
>Judy?Novak?<judy.novak at ...1935...>
>Nigel?Houghton?<nigel.houghton at ...1935...>
>
>--
>Additional?References:
>
>Bugtraq:
>http://www.securityfocus.com/bid/1
>
>CVE:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
>
>Arachnids:
>http://www.whitehats.com/info/IDS172
>
>
>
>
>
>--?
>
>Framework???I?don't?need?no?stinking?framework!
>
>----------------------------------------------------------------
>@fferent?Security?Labs:??Isolate/Insulate/Innovate??
>http://www.afferentsecurity.com
>
>
>
>
>------------------------------
>
>------------------------------------------------------------------------------
>This?SF.net?email?is?sponsored?by:
>High?Quality?Requirements?in?a?Collaborative?Environment.
>Download?a?free?trial?of?Rational?Requirements?Composer?Now!
>http://p.sf.net/sfu/www-ibm-com
>
>------------------------------
>
>_______________________________________________
>Snort-users?mailing?list
>Snort-users at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
>End?of?Snort-users?Digest,?Vol?35,?Issue?10
>*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090410/4c413b48/attachment.html>


More information about the Snort-users mailing list