[Emerging-Sigs] typo in sid 2008187

Jack Pepper pepperjack at afferentsecurity.com
Mon May 12 13:17:44 EDT 2008 

I think the -T option should cover every "lint-like" item.  It should  
squeal like a pig over every little nuance that is out of spec.

I wrote a snort-linter a while back, but the changes in metafield  
handling rendered it obsolete.  Metadata fields are not lintable  
except via the hardcoded handler processes in the various metadata  
handlers.

<rant>

metadata examples:

#  three space separated arguments to a metadata field
metadata:policy security-ips drop;

# two space separated arguments to a metadata field
metadata:service dns;

since the metadata parsing is specific to the first subfield, the  
parsing algorithm in "-T" accepts anything with at least 2 args.  In  
theory that is all is *can* do.

the following metadata value will pass through "-T" but will die upon launch:

alert tcp any any -> any any (msg: "Test metadata"; content:  
"Whatever";metadata: some seriously bogus nonsense which could never  
work;   classtype:attempted-dos; sid:1011101; rev:42;)

So, one of the reasons that "-T" can never be completely fixed is that  
the syntax for snort rules was rendered not BNF parsable with the  
implementation of the "metadata" keyword.  Snort became broken at that  
point (2.6.1.2, I think, it's been a while).  :((  probably not fixable.

Other oddities in the rule grammar exist, but metadata is the most  
obvious and the easiest to explain and understand.

In 2.6.1.3, the nonsense rule above will crash upon take-off.  On  
2.8.1.2 it doesn't even generate an error message.  changelog on  
2006-10-12 shows the following note:
" src/signature.c: Ignore unknown metadata fields."

So we're holding for 3.0.  Will it have a completely BNF parsable  
grammar, like snort used to?

</rant>

jp


Quoting Matt Jonkman <jonkman at jonkmans.com>:

> Ya, they did with -T. I should be clear though, apparently the decision
> was made somewhere in the last few releases to not have snort complain
> or exit on bad rules. It was a surprise to everyone. I understand both
> ways, I just prefer to have snort SAY something when it hits a bad rule,
> and actually exit, vs silently ignoring it. But my please have landed
> upon deaf ears.
>
> What's everyone else prefer?
>
> Matt
>
> Markus Lude wrote:
>> On Sun, May 11, 2008 at 07:25:49AM -0400, Matt Jonkman wrote:
>>> Good catch, thanks Markus.
>>>
>>> I wish Snort would tell you about this kind of thing....
>>
>> Oddly older versions of snort seems to do this.
>>
>> Regards,
>> Markus
>>
>>> Markus Lude wrote:
>>>> Hello,
>>>> there's a typo in sid 2008187:
>>>>
>>>>   content:"|0d 0a|User-Agent:";
>>>>                             ^
>>>>
>>>> ":" needs to be escaped: "\:".
>>>>
>>>> Regards,
>>>> Markus
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com

More information about the Emerging-sigs mailing list