[Emerging-Sigs] typo in sid 2008187

Matt Jonkman jonkman at jonkmans.com
Mon May 12 14:31:06 EDT 2008 

Mentioned to someone in IRC and they were putting in a bug request.

Matt

Joel Esler wrote:
> Worthwhile points, might want to put this on the snort-(users|devel)  
> list.
> 
> J
> 
> On May 12, 2008, at 1:17 PM, Jack Pepper wrote:
> 
>> I think the -T option should cover every "lint-like" item.  It should
>> squeal like a pig over every little nuance that is out of spec.
>>
>> I wrote a snort-linter a while back, but the changes in metafield
>> handling rendered it obsolete.  Metadata fields are not lintable
>> except via the hardcoded handler processes in the various metadata
>> handlers.
>>
>> <rant>
>>
>> metadata examples:
>>
>> #  three space separated arguments to a metadata field
>> metadata:policy security-ips drop;
>>
>> # two space separated arguments to a metadata field
>> metadata:service dns;
>>
>> since the metadata parsing is specific to the first subfield, the
>> parsing algorithm in "-T" accepts anything with at least 2 args.  In
>> theory that is all is *can* do.
>>
>> the following metadata value will pass through "-T" but will die  
>> upon launch:
>>
>> alert tcp any any -> any any (msg: "Test metadata"; content:
>> "Whatever";metadata: some seriously bogus nonsense which could never
>> work;   classtype:attempted-dos; sid:1011101; rev:42;)
>>
>> So, one of the reasons that "-T" can never be completely fixed is that
>> the syntax for snort rules was rendered not BNF parsable with the
>> implementation of the "metadata" keyword.  Snort became broken at that
>> point (2.6.1.2, I think, it's been a while).  :((  probably not  
>> fixable.
>>
>> Other oddities in the rule grammar exist, but metadata is the most
>> obvious and the easiest to explain and understand.
>>
>> In 2.6.1.3, the nonsense rule above will crash upon take-off.  On
>> 2.8.1.2 it doesn't even generate an error message.  changelog on
>> 2006-10-12 shows the following note:
>> " src/signature.c: Ignore unknown metadata fields."
>>
>> So we're holding for 3.0.  Will it have a completely BNF parsable
>> grammar, like snort used to?
>>
>> </rant>
>>
>> jp
>>
>>
>> Quoting Matt Jonkman <jonkman at jonkmans.com>:
>>
>>> Ya, they did with -T. I should be clear though, apparently the  
>>> decision
>>> was made somewhere in the last few releases to not have snort  
>>> complain
>>> or exit on bad rules. It was a surprise to everyone. I understand  
>>> both
>>> ways, I just prefer to have snort SAY something when it hits a bad  
>>> rule,
>>> and actually exit, vs silently ignoring it. But my please have landed
>>> upon deaf ears.
>>>
>>> What's everyone else prefer?
>>>
>>> Matt
>>>
>>> Markus Lude wrote:
>>>> On Sun, May 11, 2008 at 07:25:49AM -0400, Matt Jonkman wrote:
>>>>> Good catch, thanks Markus.
>>>>>
>>>>> I wish Snort would tell you about this kind of thing....
>>>> Oddly older versions of snort seems to do this.
>>>>
>>>> Regards,
>>>> Markus
>>>>
>>>>> Markus Lude wrote:
>>>>>> Hello,
>>>>>> there's a typo in sid 2008187:
>>>>>>
>>>>>>  content:"|0d 0a|User-Agent:";
>>>>>>                            ^
>>>>>>
>>>>>> ":" needs to be escaped: "\:".
>>>>>>
>>>>>> Regards,
>>>>>> Markus
>>>>>> _______________________________________________
>>>>>> Emerging-sigs mailing list
>>>>>> Emerging-sigs at emergingthreats.net
>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>
>>
>> -- 
>>
>> Framework?  I don't need no stinking framework!
>>
>> ----------------------------------------------------------------
>> @fferent Security Labs:  Isolate/Insulate/Innovate
>> http://www.afferentsecurity.com
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
> 
> 
> --
> Joel Esler  joel.esler at sourcefire.com
> [m]
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list