[Emerging-Sigs] Rules Syntax problem: fast_pattern:only;

Big Irish Dog big.irish.dog at gmail.com
Mon Oct 31 15:08:49 EST 2011


Just an FYI, I just spent about an hour and a half on the phone with
Sourcefire Tech Support...  In addition to many standard VRT Snort rules
from Sourcefire, I use a large hunk of ET rules as well... so I wanted to
bring this to your attention.

There are 7 rules that use " fast_pattern:only;" option with the "depth"
flag.  Apparently one of the most recent SEU's that I downloaded for my
sensor network included a new validation check that caused my sensors to
all choke on these rules.  Until I can find the time to troubleshoot them
and figure out how to use them with the new SEU, I figured I'd pass this
note along to you all...

________________________________
cat active_rules.conf | grep -i "fast_pattern:only;" | grep -i "depth" |
\less

alert tcp $EXTERNAL_NET any -> $HOME_NET 12401  (msg:"SCADA IGSS
IGSSDataServer.exe file upload/download attempt";
flow:established,to_server; content:"|5C 2E 2E|"; fast_pattern:only;
content:"|0D|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4;
distance:7; pcre:"/^[\x02\x03]\x00\x00\x00[^\x00]*\x5C\x2E\x2E/R";
classtype:attempted-user; sid:18648; rev:1; )

alert udp $EXTERNAL_NET any -> $HOME_NET 1900  (msg:"SCAN UPnP service
discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9;
content:"ssdp|3A|discover"; fast_pattern:only; classtype:network-scan;
sid:1917; rev:9; )

alert tcp $HOME_NET any -> $EXTERNAL_NET any  (msg:"ET TROJAN IRC Potential
bot command response"; flow:established,to_server; content:"PRIVMSG ";
fast_pattern:only; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a
File transfer|(random|sequential) Port Scan|Random
(Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood
stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No
scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,
doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033;
rev:16; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any  (msg:"ET TROJAN Agobot-SDBot
Commands"; flow:established,from_server; content:"PRIVMSG|20|";
fast_pattern:only; depth:8;
pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i";
reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity;
sid:2003157; rev:9; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any  (msg:"ET TROJAN IRC pBot PHP
Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|";
depth:8; fast_pattern:only; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user
|\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd
|\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server
)/i"; reference:url,doc.emergingthreats.net/2003208;
classtype:trojan-activity; sid:2003208; rev:12; )

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1025:5000  (msg:"ET TROJAN
Possible Web-based DDoS-command being issued";
flow:established,from_server; content:"Server|3a| nginx/0."; offset:17;
depth:19; content:"Content-Type|3a| text/html";
content:"|3a|80|3b|255.255.255.255"; fast_pattern:only;
classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003296;
reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lager.Win32;
sid:2003296; rev:5; )

alert tcp $EXTERNAL_NET any -> $HOME_NET 1755  (msg:"ET DOS Microsoft
Streaming Server Malformed Request"; flow:established,to_server;
content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00
00 01 00 00 00|"; fast_pattern:only; classtype:attempted-dos;
reference:bugtraq,1282; reference:url,
www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,
doc.emergingthreats.net/bin/view/Main/2002843; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038;
sid:2002843; rev:6; )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111031/3319a74e/attachment-0001.html


More information about the Emerging-sigs mailing list