[Emerging-Sigs] Emerging-sigs Digest, Vol 14, Issue 21

Mahesh Yelsani wolvee_x at yahoo.com
Tue Jan 13 11:49:52 EST 2009


How to run a snort in 'lint'  mode... 
 
Thanks,
Mahesh..

--- On Tue, 1/13/09, emerging-sigs-request at emergingthreats.net <emerging-sigs-request at emergingthreats.net> wrote:

From: emerging-sigs-request at emergingthreats.net <emerging-sigs-request at emergingthreats.net>
Subject: Emerging-sigs Digest, Vol 14, Issue 21
To: emerging-sigs at emergingthreats.net
Date: Tuesday, January 13, 2009, 4:13 PM

Send Emerging-sigs mailing list submissions to
	emerging-sigs at emergingthreats.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
or, via email, send a message with subject or body 'help' to
	emerging-sigs-request at emergingthreats.net

You can reach the person managing the list at
	emerging-sigs-owner at emergingthreats.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Emerging-sigs digest..."


Today's Topics:

   1. Emerging Threats Daily Signature Changes
      (emerging at emergingthreats.net)
   2. [Fwd: SNORT  FATAL ERROR] (Michael Scheidell)
   3. Re: [Fwd: SNORT  FATAL ERROR] (Michael Scheidell)
   4. Re: [Fwd: SNORT  FATAL ERROR] (Matt Jonkman)
   5. Re: [Fwd: SNORT  FATAL ERROR] (Michael Scheidell)
   6. Re: [Fwd: SNORT  FATAL ERROR] (Joel Esler)
   7. Re: [Fwd: SNORT  FATAL ERROR] (Matt Jonkman)


----------------------------------------------------------------------

Message: 1
Date: Mon, 12 Jan 2009 16:00:09 -0500 (EST)
From: emerging at emergingthreats.net
Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
To: emerging-sigs at emergingthreats.net
Message-ID: <20090112210009.2693145026 at goliath.jonkmans.com>


[***] Results from Oinkmaster started Mon Jan 12 16:00:09 2009 [***]

[+++]          Added rules:          [+++]

 2009005 - ET TROJAN Simbar Spyware/Trojan User-Agent Detected
(emerging-virus.rules)
 2009006 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1
(emerging.rules)
 2009007 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2
(emerging.rules)
 2009008 - ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3
(emerging.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (8):
        2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected ||
url,vil.nai.com/vil/content/v_131206.htm ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805
        2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit
Attempt 1 || url,isc.sans.org/diary.html?storyid=5599
        2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit
Attempt 2 || url,isc.sans.org/diary.html?storyid=5599
        2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit
Attempt 3 || url,isc.sans.org/diary.html?storyid=5599
        2404017 || ET DROP Known Bot C&C Server Traffic (group 18)  ||
url,www.shadowserver.org
        2404018 || ET DROP Known Bot C&C Server Traffic (group 19)  ||
url,www.shadowserver.org
        2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING
SOURCE || url,www.shadowserver.org
        2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING
SOURCE || url,www.shadowserver.org

     -> Added to emerging-sid-msg.map.txt (8):
        2009005 || ET TROJAN Simbar Spyware/Trojan User-Agent Detected ||
url,vil.nai.com/vil/content/v_131206.htm ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805
        2009006 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit
Attempt 1 || url,isc.sans.org/diary.html?storyid=5599
        2009007 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit
Attempt 2 || url,isc.sans.org/diary.html?storyid=5599
        2009008 || ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit
Attempt 3 || url,isc.sans.org/diary.html?storyid=5599
        2404017 || ET DROP Known Bot C&C Server Traffic (group 18)  ||
url,www.shadowserver.org
        2404018 || ET DROP Known Bot C&C Server Traffic (group 19)  ||
url,www.shadowserver.org
        2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING
SOURCE || url,www.shadowserver.org
        2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING
SOURCE || url,www.shadowserver.org

     -> Added to emerging-virus.rules (1):
        #by RPG



------------------------------

Message: 2
Date: Mon, 12 Jan 2009 21:44:46 -0500
From: Michael Scheidell <scheidell at secnap.net>
Subject: [Emerging-Sigs] [Fwd: SNORT  FATAL ERROR]
To: emerging-sigs at emergingthreats.net
Message-ID: <496C001E.5020507 at secnap.net>
Content-Type: text/plain; charset="iso-8859-1"



-------- Original Message --------
Subject: 	HackerTrap Alert: FATAL ERROR
Date: 	Tue, 13 Jan 2009 03:10:58 +0100 (CET)
From: 	root at success-ae.hackertrap.net (Success-AE Root)
To: 	maint at success-ae.hackertrap.net



Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR: rules/emerging.rules(147)
=> ParsePattern Got Null enclosed in quotation marks (")!


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * King of Spam Filters, SC Magazine 2008
    * Information Security Award 2008, Info Security Products Guide
    * CRN Magazine Top 40 Emerging Security Vendors


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/f66e2c76/attachment-0001.html

------------------------------

Message: 3
Date: Mon, 12 Jan 2009 22:03:40 -0500
From: Michael Scheidell <scheidell at secnap.net>
Subject: Re: [Emerging-Sigs] [Fwd: SNORT  FATAL ERROR]
To: <emerging-sigs at emergingthreats.net>
Message-ID: <C5916EBC.7AB21%scheidell at secnap.net>
Content-Type: text/plain; charset="us-ascii"

> does Accept: need a \: ?
> 
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt
> 1"; flow:to_server,established; content:"POST
/roundcube/bin/html2text.php
> HTTP/1."; nocase; content:"Accept:
>
ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw==";
> classtype:attempted-admin;
> reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009006; rev:1;)
> 
> 
> -------- Original Message --------
>  Subject:  HackerTrap Alert: FATAL ERROR
>  Date:  Tue, 13 Jan 2009 03:10:58 +0100 (CET)
>  From:  root at success-ae.hackertrap.net (Success-AE Root)
>  To:  maint at success-ae.hackertrap.net
> 
> Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR:
> rules/emerging.rules(147) => ParsePattern Got Null enclosed in
quotation marks
> (")!

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer



_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090112/a6e45cb4/attachment-0001.html

------------------------------

Message: 4
Date: Tue, 13 Jan 2009 10:49:08 -0500
From: Matt Jonkman <jonkman at jonkmans.com>
Subject: Re: [Emerging-Sigs] [Fwd: SNORT  FATAL ERROR]
To: Michael Scheidell <scheidell at secnap.net>
Cc: emerging-sigs at emergingthreats.net
Message-ID: <496CB7F4.3040001 at jonkmans.com>
Content-Type: text/plain; charset=ISO-8859-1

Yes it does, why do you ask? :)

Fixed up, thanks for letting me know!

Matt

Michael Scheidell wrote:
>     does Accept: need a \: ?
> 
> 
>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"ET
>     CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt
>     1"; flow:to_server,established; content:"POST
>     /roundcube/bin/html2text.php HTTP/1."; nocase;
content:"Accept:
>    
ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw==";
>     classtype:attempted-admin;
>     reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009006;
rev:1;)
> 
> 
>     -------- Original Message --------   
>      Subject:  HackerTrap Alert: FATAL ERROR  
>      Date:  Tue, 13 Jan 2009 03:10:58 +0100 (CET)  
>      From:  root at success-ae.hackertrap.net (Success-AE Root)  
>      To:  maint at success-ae.hackertrap.net  
> 
>     Jan 13 03:10:58 success-ae snort[43951]: FATAL ERROR:
>     rules/emerging.rules(147) => ParsePattern Got Null enclosed in
>     quotation marks (")!
> 
> 
> -- 
> Michael Scheidell, CTO
>>|SECNAP Network Security
> Winner 2008 Network Products Guide Hot Companies
> FreeBSD SpamAssassin Ports maintainer
> 
> 
> ------------------------------------------------------------------------
> 
> This email has been scanned and certified safe by SpammerTrap?.
> For Information please see www.secnap.com/products/spammertrap/
> <http://www.secnap.com/products/spammertrap/>
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------

Message: 5
Date: Tue, 13 Jan 2009 11:01:03 -0500
From: Michael Scheidell <scheidell at secnap.net>
Subject: Re: [Emerging-Sigs] [Fwd: SNORT  FATAL ERROR]
To: <emerging-sigs at emergingthreats.net>
Message-ID: <C59224EF.7B0BA%scheidell at secnap.net>
Content-Type: text/plain;	charset="US-ASCII"

> Yes it does, why do you ask? :)
> 
> Fixed up, thanks for letting me know!
> 
Sure wish there was a 'lint' mode on snort.

Snort 2.4* will crash with bad rules (and make log entry), snort 2.6* will
not do anything but disable the rule (no log, no error message, nothing)

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________


------------------------------

Message: 6
Date: Tue, 13 Jan 2009 11:03:25 -0500
From: Joel Esler <eslerj at gmail.com>
Subject: Re: [Emerging-Sigs] [Fwd: SNORT  FATAL ERROR]
To: Michael Scheidell <scheidell at secnap.net>
Cc: emerging-sigs at emergingthreats.net
Message-ID: <73F7A1A4-B30A-486C-A62D-317E3DCD933A at gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes

Isn't that what -T is for?

J

On Jan 13, 2009, at 11:01 AM, Michael Scheidell allegedly wrote:

>> Yes it does, why do you ask? :)
>>
>> Fixed up, thanks for letting me know!
>>
> Sure wish there was a 'lint' mode on snort.
>
> Snort 2.4* will crash with bad rules (and make log entry), snort  
> 2.6* will
> not do anything but disable the rule (no log, no error message,  
> nothing)
>
> -- 
> Michael Scheidell, CTO
>> |SECNAP Network Security
> Winner 2008 Network Products Guide Hot Companies
> FreeBSD SpamAssassin Ports maintainer
>
>
> _________________________________________________________________________
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.secnap.com/products/spammertrap/
> _________________________________________________________________________
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


--
Joel Esler
?  http://www.joelesler.net
?  http://www.twitter.com/joelesler
[m]



------------------------------

Message: 7
Date: Tue, 13 Jan 2009 11:13:39 -0500
From: Matt Jonkman <jonkman at jonkmans.com>
Subject: Re: [Emerging-Sigs] [Fwd: SNORT  FATAL ERROR]
To: Joel Esler <eslerj at gmail.com>
Cc: emerging-sigs at emergingthreats.net
Message-ID: <496CBDB3.70502 at jonkmans.com>
Content-Type: text/plain; charset=UTF-8

To a degree, but it doesn't give a bad exit status when it finds a bad
sig, so not real useful in automation.

Matt

Joel Esler wrote:
> Isn't that what -T is for?
> 
> J
> 
> On Jan 13, 2009, at 11:01 AM, Michael Scheidell allegedly wrote:
> 
>>> Yes it does, why do you ask? :)
>>>
>>> Fixed up, thanks for letting me know!
>>>
>> Sure wish there was a 'lint' mode on snort.
>>
>> Snort 2.4* will crash with bad rules (and make log entry), snort  
>> 2.6* will
>> not do anything but disable the rule (no log, no error message,  
>> nothing)
>>
>> -- 
>> Michael Scheidell, CTO
>>> |SECNAP Network Security
>> Winner 2008 Network Products Guide Hot Companies
>> FreeBSD SpamAssassin Ports maintainer
>>
>>
>>
_________________________________________________________________________
>> This email has been scanned and certified safe by SpammerTrap(r).
>> For Information please see http://www.secnap.com/products/spammertrap/
>>
_________________________________________________________________________
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 
> --
> Joel Esler
> ?  http://www.joelesler.net
> ?  http://www.twitter.com/joelesler
> [m]
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


End of Emerging-sigs Digest, Vol 14, Issue 21
*********************************************



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090113/1b813c17/attachment-0001.html


More information about the Emerging-sigs mailing list