[Emerging-Sigs] 2002034 issue

Gibson, Nathan J. (HSC) Nathan-Gibson at ouhsc.edu
Sun Oct 23 11:21:33 EDT 2011


Been running ET for awhile know. Had this error today. Any thoughts?



10/23/2011 2:01 AM :   snort[29071]: FATAL ERROR: /etc/snort/rules/snort.rules(3219) Fast pattern only contents cannot be relative or have non-zero offset/depth content modifiers.




alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; fast_pattern:only; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:16;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:misc-activity; sid:2002034; rev:8;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111023/f127b255/attachment.html


More information about the Emerging-sigs mailing list