[Emerging-Sigs] typo in sid 2008187

Joel Esler joel.esler at sourcefire.com
Mon May 12 14:14:35 EDT 2008 

Worthwhile points, might want to put this on the snort-(users|devel)  
list.

J

On May 12, 2008, at 1:17 PM, Jack Pepper wrote:

> I think the -T option should cover every "lint-like" item.  It should
> squeal like a pig over every little nuance that is out of spec.
>
> I wrote a snort-linter a while back, but the changes in metafield
> handling rendered it obsolete.  Metadata fields are not lintable
> except via the hardcoded handler processes in the various metadata
> handlers.
>
> <rant>
>
> metadata examples:
>
> #  three space separated arguments to a metadata field
> metadata:policy security-ips drop;
>
> # two space separated arguments to a metadata field
> metadata:service dns;
>
> since the metadata parsing is specific to the first subfield, the
> parsing algorithm in "-T" accepts anything with at least 2 args.  In
> theory that is all is *can* do.
>
> the following metadata value will pass through "-T" but will die  
> upon launch:
>
> alert tcp any any -> any any (msg: "Test metadata"; content:
> "Whatever";metadata: some seriously bogus nonsense which could never
> work;   classtype:attempted-dos; sid:1011101; rev:42;)
>
> So, one of the reasons that "-T" can never be completely fixed is that
> the syntax for snort rules was rendered not BNF parsable with the
> implementation of the "metadata" keyword.  Snort became broken at that
> point (2.6.1.2, I think, it's been a while).  :((  probably not  
> fixable.
>
> Other oddities in the rule grammar exist, but metadata is the most
> obvious and the easiest to explain and understand.
>
> In 2.6.1.3, the nonsense rule above will crash upon take-off.  On
> 2.8.1.2 it doesn't even generate an error message.  changelog on
> 2006-10-12 shows the following note:
> " src/signature.c: Ignore unknown metadata fields."
>
> So we're holding for 3.0.  Will it have a completely BNF parsable
> grammar, like snort used to?
>
> </rant>
>
> jp
>
>
> Quoting Matt Jonkman <jonkman at jonkmans.com>:
>
>> Ya, they did with -T. I should be clear though, apparently the  
>> decision
>> was made somewhere in the last few releases to not have snort  
>> complain
>> or exit on bad rules. It was a surprise to everyone. I understand  
>> both
>> ways, I just prefer to have snort SAY something when it hits a bad  
>> rule,
>> and actually exit, vs silently ignoring it. But my please have landed
>> upon deaf ears.
>>
>> What's everyone else prefer?
>>
>> Matt
>>
>> Markus Lude wrote:
>>> On Sun, May 11, 2008 at 07:25:49AM -0400, Matt Jonkman wrote:
>>>> Good catch, thanks Markus.
>>>>
>>>> I wish Snort would tell you about this kind of thing....
>>>
>>> Oddly older versions of snort seems to do this.
>>>
>>> Regards,
>>> Markus
>>>
>>>> Markus Lude wrote:
>>>>> Hello,
>>>>> there's a typo in sid 2008187:
>>>>>
>>>>>  content:"|0d 0a|User-Agent:";
>>>>>                            ^
>>>>>
>>>>> ":" needs to be escaped: "\:".
>>>>>
>>>>> Regards,
>>>>> Markus
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at emergingthreats.net
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
>
> -- 
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>


--
Joel Esler  joel.esler at sourcefire.com
[m]

More information about the Emerging-sigs mailing list