[Emerging-Sigs] 2002034 issue

Matthew Jonkman jonkman at emergingthreatspro.com
Sun Oct 23 17:44:49 EDT 2011


Both fixed up, new ruleset out momentarily! Thanks for the note. Human error on both.

Thanks!

matt


On Oct 23, 2011, at 11:48 AM, Gibson, Nathan J. (HSC) wrote:

> Getting same error on this one. 
> 
> #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; fast_pattern:only; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:9;)
> 
> 
> From: Nathan Gibson <nathan-gibson at ouhsc.edu>
> Date: Sun, 23 Oct 2011 10:30:11 -0500
> To: "jesler at sourcefire.com" <jesler at sourcefire.com>
> Cc: "Emerging-sigs at emergingthreats.net" <Emerging-sigs at emergingthreats.net>
> Subject: Re: [Emerging-Sigs] 2002034 issue
> 
> So this is something ET peeps fix?
> 
> From: "jesler at sourcefire.com" <jesler at sourcefire.com>
> Date: Sun, 23 Oct 2011 10:27:04 -0500
> To: Nathan Gibson <nathan-gibson at ouhsc.edu>
> Cc: "Emerging-sigs at emergingthreats.net" <Emerging-sigs at emergingthreats.net>
> Subject: Re: [Emerging-Sigs] 2002034 issue
> 
> This is because a "depth" is being used with the fast_pattern:only statement.  You can't do that.  
> 
> 
> 
> On Oct 23, 2011, at 11:21 AM, Gibson, Nathan J. (HSC) wrote:
> 
>> Been running ET for awhile know. Had this error today. Any thoughts?
>> 
>> 
>> 
>> 10/23/2011 2:01 AM :   snort[29071]: FATAL ERROR: /etc/snort/rules/snort.rules(3219) Fast pattern only contents cannot be relative or have non-zero offset/depth content modifiers.
>> 
>> 
>> 
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; fast_pattern:only; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:16;)
>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:misc-activity; sid:2002034; rev:8;)
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list