[Snort-users] How many offical sets and rules in current Snort?

Joel Esler jesler at ...1935...
Fri Apr 10 07:41:27 EDT 2009


There is one official ruleset, which is obtainable from www.snort.org/rules.
There are, however, other rule sites such as emerging threats that maintain
a list of rules for many different things.  I would suggest taking the rules
from both locations and seeing which ones fit your particular network.

Joel

2009/4/10 jiangzhw2008 <jiangzhw2008 at ...14518...>

>
> Dear all,
>    How many offical sets and rules in current Snort? Thanks!
>    Best regards!
>     jiangzhw2008 at ...14518...
>
> 在2009-04-10 01:09:33,snort-users-request at lists.sourceforge.net 写道:
> >Send Snort-users mailing list submissions to
> >	snort-users at lists.sourceforge.net
> >
> >To subscribe or unsubscribe via the World Wide Web, visit
> >	https://lists.sourceforge.net/lists/listinfo/snort-users
> >or, via email, send a message with subject or body 'help' to
> >	snort-users-request at lists.sourceforge.net
> >
> >You can reach the person managing the list at
> >	snort-users-owner at lists.sourceforge.net
> >
> >When replying, please edit your Subject line so it is more specific
> >than "Re: Contents of Snort-users digest..."
> >
> >
> >Today's Topics:
> >
> >   1. Question on 663 (Jack Pepper)
> >   2. Re: Question on 663 (rmkml)
> >   3. Re: Question on 663 (Jack Pepper)
> >   4. Re: Question on 663 (rmkml)
> >   5. Re: Question on 663 (Jack Pepper)
> >   6. Re: Question on 663 - solved (Jack Pepper)
> >
> >
> >----------------------------------------------------------------------
> >
> >Message: 1
> >Date: Thu, 09 Apr 2009 10:13:38 -0500
> >From: Jack Pepper <pepperjack at ...14319...>
> >Subject: [Snort-users] Question on 663
> >To: snort-users at lists.sourceforge.net
> >Message-ID:
> >	<20090409101338.d2jrd7368cwwwksg at ...14320...>
> >Content-Type: text/plain;	charset=ISO-8859-1;	DelSp="Yes";
> >	format="flowed"
> >
> >This rule looks for "RCPT TO: ;"
> >
> >The reference to cve,1999-0095 regards sendmail having the "debug"
> >command enabled. Ditto for the bugtraq,1 reference.  And arachnids has
> >been dead for at least 5 years.
> >
> >Anybody know why this rule exists?  What is the exploitation of RCPT TO ?
> >
> >jp
> >
> >
> >
> >
> >
> >--
> >
> >Framework?  I don't need no stinking framework!
> >
> >----------------------------------------------------------------
> >@fferent Security Labs:  Isolate/Insulate/Innovate
> >http://www.afferentsecurity.com
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 2
> >Date: Thu, 9 Apr 2009 17:38:31 +0200 (CEST)
> >From: rmkml <rmkml at ...953...>
> >Subject: Re: [Snort-users] Question on 663
> >To: Jack Pepper <pepperjack at ...14319...>
> >Cc: snort-users at lists.sourceforge.net
> >Message-ID: <alpine.LFD.2.00.0904091737580.2938 at ...173...>
> >Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
> >
> >Hi,
> >maybe look:
> >  http://www.securityfocus.com/bid/1/exploit
> >Regards
> >Rmkml
> >Crusoe-Researches.com
> >
> >
> >On Thu, 9 Apr 2009, Jack Pepper wrote:
> >
> >> This rule looks for "RCPT TO: ;"
> >>
> >> The reference to cve,1999-0095 regards sendmail having the "debug"
> >> command enabled. Ditto for the bugtraq,1 reference.  And arachnids has
> >> been dead for at least 5 years.
> >>
> >> Anybody know why this rule exists?  What is the exploitation of RCPT TO ?
> >>
> >> jp
> >>
> >>
> >>
> >>
> >>
> >> --
> >>
> >> Framework?  I don't need no stinking framework!
> >>
> >> ----------------------------------------------------------------
> >> @fferent Security Labs:  Isolate/Insulate/Innovate
> >> http://www.afferentsecurity.com
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> This SF.net email is sponsored by:
> >> High Quality Requirements in a Collaborative Environment.
> >> Download a free trial of Rational Requirements Composer Now!
> >> http://p.sf.net/sfu/www-ibm-com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> >
> >
> >------------------------------
> >
> >Message: 3
> >Date: Thu, 09 Apr 2009 11:02:13 -0500
> >From: Jack Pepper <pepperjack at ...14319...>
> >Subject: Re: [Snort-users] Question on 663
> >To: rmkml <rmkml at ...953...>
> >Cc: snort-users at lists.sourceforge.net
> >Message-ID:
> >	<20090409110213.ws11n0347k844g0o at ...14320...>
> >Content-Type: text/plain;	charset=ISO-8859-1;	DelSp="Yes";
> >	format="flowed"
> >
> >Quoting rmkml <rmkml at ...953...>:
> >
> >> maybe look:
> >>  http://www.securityfocus.com/bid/1/exploit
> >
> >Yeah, that's kind of my point, eh?  bugtraq bid 1 is not an exploit in
> >RCPT, it's something completely different involving an exploit in DEBUG.
> >
> >jp
> >
> >> On Thu, 9 Apr 2009, Jack Pepper wrote:
> >>
> >>> This rule looks for "RCPT TO: ;"
> >>>
> >>> The reference to cve,1999-0095 regards sendmail having the "debug"
> >>> command enabled. Ditto for the bugtraq,1 reference.  And arachnids has
> >>> been dead for at least 5 years.
> >>>
> >>> Anybody know why this rule exists?  What is the exploitation of RCPT TO ?
> >>>
> >>> jp
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Framework?  I don't need no stinking framework!
> >>>
> >>> ----------------------------------------------------------------
> >>> @fferent Security Labs:  Isolate/Insulate/Innovate
> >>> http://www.afferentsecurity.com
> >>>
> >>>
> >>> ------------------------------------------------------------------------------
> >>> This SF.net email is sponsored by:
> >>> High Quality Requirements in a Collaborative Environment.
> >>> Download a free trial of Rational Requirements Composer Now!
> >>> http://p.sf.net/sfu/www-ibm-com
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>
> >
> >
> >
> >--
> >
> >Framework?  I don't need no stinking framework!
> >
> >----------------------------------------------------------------
> >@fferent Security Labs:  Isolate/Insulate/Innovate
> >http://www.afferentsecurity.com
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 4
> >Date: Thu, 9 Apr 2009 18:43:42 +0200 (CEST)
> >From: rmkml <rmkml at ...953...>
> >Subject: Re: [Snort-users] Question on 663
> >To: Jack Pepper <pepperjack at ...14319...>
> >Cc: snort-users at lists.sourceforge.net
> >Message-ID: <alpine.LFD.2.00.0904091842500.2938 at ...173...>
> >Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> >
> >on bid1 discuss:
> >"Sendmail's debug mode allows the recipient of an email message to be a
> >program that runs with the privileges of the user id which sendmail is
> >running under."
> >Regards
> >Rmkml
> >Crusoe-Researches.com
> >
> >
> >On Thu, 9 Apr 2009, Jack Pepper wrote:
> >
> >> Quoting rmkml <rmkml at ...953...>:
> >>
> >>> maybe look:
> >>> http://www.securityfocus.com/bid/1/exploit
> >>
> >> Yeah, that's kind of my point, eh?  bugtraq bid 1 is not an exploit in RCPT,
> >> it's something completely different involving an exploit in DEBUG.
> >>
> >> jp
> >>
> >>> On Thu, 9 Apr 2009, Jack Pepper wrote:
> >>>
> >>>> This rule looks for "RCPT TO: ;"
> >>>>
> >>>> The reference to cve,1999-0095 regards sendmail having the "debug"
> >>>> command enabled. Ditto for the bugtraq,1 reference.  And arachnids has
> >>>> been dead for at least 5 years.
> >>>>
> >>>> Anybody know why this rule exists?  What is the exploitation of RCPT TO ?
> >>>>
> >>>> jp
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> Framework?  I don't need no stinking framework!
> >>>>
> >>>> ----------------------------------------------------------------
> >>>> @fferent Security Labs:  Isolate/Insulate/Innovate
> >>>> http://www.afferentsecurity.com
> >>>>
> >>>>
> >>>> ------------------------------------------------------------------------------
> >>>> This SF.net email is sponsored by:
> >>>> High Quality Requirements in a Collaborative Environment.
> >>>> Download a free trial of Rational Requirements Composer Now!
> >>>> http://p.sf.net/sfu/www-ibm-com
> >>>> _______________________________________________
> >>>> Snort-users mailing list
> >>>> Snort-users at lists.sourceforge.net
> >>>> Go to this URL to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>
> >>
> >>
> >> --
> >>
> >> Framework?  I don't need no stinking framework!
> >>
> >> ----------------------------------------------------------------
> >> @fferent Security Labs:  Isolate/Insulate/Innovate
> >> http://www.afferentsecurity.com
> >>
> >
> >
> >
> >------------------------------
> >
> >Message: 5
> >Date: Thu, 09 Apr 2009 12:04:39 -0500
> >From: Jack Pepper <pepperjack at ...14319...>
> >Subject: Re: [Snort-users] Question on 663
> >To: rmkml <rmkml at ...953...>
> >Cc: snort-users at lists.sourceforge.net
> >Message-ID:
> >	<20090409120439.62m67nxegcog4ogk at ...14320...>
> >Content-Type: text/plain;	charset=ISO-8859-1;	DelSp="Yes";
> >	format="flowed"
> >
> >Quoting rmkml <rmkml at ...953...>:
> >
> >> on bid1 discuss:
> >> "Sendmail's debug mode allows the recipient of an email message to
> >> be a program that runs with the privileges of the user id which
> >> sendmail is running under."
> >
> >right.  i got that.  bugtraq bid 1 discusses the case where sendmail
> >has been compiled with the debug option enabled and some outside user
> >is trying to access sendmail's "debug" command.  got it.
> >
> >so back to sid 663:
> >
> >alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to
> >command attempt"; flow:to_server,established; content:"rcpt to|3A|";
> >nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp;
> >reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095;
> >classtype:attempted-admin; sid:663; rev:15;)
> >
> >this rule is *not* about debug.  it does not detect someone using the
> >"debug" command.  this rule is about something else entirely.  the
> >references are probably incorrect.  but i can find nothing on bugtraq
> >about a sendmail exploit using the RCPT TO command.
> >
> >Back in the arachnid days (this from august of 2002), sid=663 looked
> >like this:
> >
> >alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail
> >5.5.8 overflow"; flow:to_server,established; content: "|7c 73 65 64 20
> >2d 65 20 27 31 2c 2f 5e 24 2f 27|";  reference:arachnids,172;
> >reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:4;)
> >
> >so maybe this rule has never been right.
> >
> >
> >jp
> >
> >
> >
> >
> >
> >
> >
> >>
> >> On Thu, 9 Apr 2009, Jack Pepper wrote:
> >>
> >>> Quoting rmkml <rmkml at ...953...>:
> >>>
> >>>> maybe look:
> >>>> http://www.securityfocus.com/bid/1/exploit
> >>>
> >>> Yeah, that's kind of my point, eh?  bugtraq bid 1 is not an exploit
> >>> in RCPT, it's something completely different involving an exploit
> >>> in DEBUG.
> >>>
> >>> jp
> >>>
> >>>> On Thu, 9 Apr 2009, Jack Pepper wrote:
> >>>>
> >>>>> This rule looks for "RCPT TO: ;"
> >>>>>
> >>>>> The reference to cve,1999-0095 regards sendmail having the "debug"
> >>>>> command enabled. Ditto for the bugtraq,1 reference.  And arachnids has
> >>>>> been dead for at least 5 years.
> >>>>>
> >>>>> Anybody know why this rule exists?  What is the exploitation of RCPT TO ?
> >>>>>
> >>>>> jp
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>>
> >>>>> Framework?  I don't need no stinking framework!
> >>>>>
> >>>>> ----------------------------------------------------------------
> >>>>> @fferent Security Labs:  Isolate/Insulate/Innovate
> >>>>> http://www.afferentsecurity.com
> >>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------------------
> >>>>> This SF.net email is sponsored by:
> >>>>> High Quality Requirements in a Collaborative Environment.
> >>>>> Download a free trial of Rational Requirements Composer Now!
> >>>>> http://p.sf.net/sfu/www-ibm-com
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>>
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Framework?  I don't need no stinking framework!
> >>>
> >>> ----------------------------------------------------------------
> >>> @fferent Security Labs:  Isolate/Insulate/Innovate
> >>> http://www.afferentsecurity.com
> >>>
> >
> >
> >
> >--
> >
> >Framework?  I don't need no stinking framework!
> >
> >----------------------------------------------------------------
> >@fferent Security Labs:  Isolate/Insulate/Innovate
> >http://www.afferentsecurity.com
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 6
> >Date: Thu, 09 Apr 2009 12:09:27 -0500
> >From: Jack Pepper <pepperjack at ...14319...>
> >Subject: Re: [Snort-users] Question on 663 - solved
> >To: rmkml <rmkml at ...953...>
> >Cc: snort-users at lists.sourceforge.net
> >Message-ID:
> >	<20090409120927.9czdc4m3fkk0cc04 at ...14320...>
> >Content-Type: text/plain;	charset=ISO-8859-1;	DelSp="Yes";
> >	format="flowed"
> >
> >ok, so i will rudely answer my own post, but only so that the thread
> >ends with a resolution, rather than ending with "we all lost interest".
> >
> >Here is the description from arachnids:
> >
> >Rule:
> >
> >--
> >Sid:
> >663
> >
> >--
> >Summary:
> >This event is generated when the string "|sed -e '1,/^$/'" is found in
> >the payload of a packet sent to a Sendmail server.  This may be an
> >attempt to exploit a problem in older versions of Sendmail.
> >
> >--
> >Impact:
> >Attempted administrator access.  A successful attack can allow remote
> >execution of commands at the privilege level of Sendmail, usually root.
> >
> >--
> >Detailed Information:
> >A vulnerability exists in older versions of Sendmail associated with
> >the debug mode.  Malformed text specifying the recipient could be a
> >command that would execute at the privilege level of Sendmail, often
> >times root.  The "sed" command is used to strip off the mail headers
> >before executing the supplied command.  This vulnerability was
> >exploited by the Morris worm.
> >
> >--
> >Affected Systems:
> >Sendmail versions prior to 5.5.9.
> >
> >--
> >Attack Scenarios:
> >An attacker can craft a recipient name that is a command. This command
> >executes arbitrary code on the server.
> >
> >--
> >Ease of Attack:
> >Easy.  An attacker can telnet to port 25 of a vulnerable server, enter
> >debug mode, and craft a malicious recipient containing a command to be
> >executed.
> >
> >--
> >False Positives:
> >It is possible that this event may be generated by text in the DATA
> >section of a pipelined SMTP transaction.
> >
> >--
> >False Negatives:
> >This rule generates an event based on a specific string in the packet
> >payload.  An attacker could craft payloads with other malicious
> >commands.
> >
> >--
> >Corrective Action:
> >Upgrade to Sendmail version 5.5.9 or higher.
> >
> >--
> >Contributors:
> >Original rule written by Max Vision <vision at ...4...>
> >Modified by Brian Caswell <bmc at ...1935...>
> >Sourcefire Research Team
> >Judy Novak <judy.novak at ...1935...>
> >Nigel Houghton <nigel.houghton at ...1935...>
> >
> >--
> >Additional References:
> >
> >Bugtraq:
> >http://www.securityfocus.com/bid/1
> >
> >CVE:
> >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
> >
> >Arachnids:
> >http://www.whitehats.com/info/IDS172
> >
> >
> >
> >
> >
> >--
> >
> >Framework?  I don't need no stinking framework!
> >
> >----------------------------------------------------------------
> >@fferent Security Labs:  Isolate/Insulate/Innovate
> >http://www.afferentsecurity.com
> >
> >
> >
> >
> >------------------------------
> >
> >------------------------------------------------------------------------------
> >This SF.net email is sponsored by:
> >High Quality Requirements in a Collaborative Environment.
> >Download a free trial of Rational Requirements Composer Now!
> >http://p.sf.net/sfu/www-ibm-com
> >
> >------------------------------
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >
> >
> >End of Snort-users Digest, Vol 35, Issue 10
> >*******************************************
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090410/bfc05f92/attachment.html>


More information about the Snort-users mailing list