[Emerging-Sigs] Rules Syntax problem: fast_pattern:only;

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 31 15:15:41 EST 2011

Thanks, some comments inline, but all the ET rules were fixed last week, so please retry the import!

More inline:

On Oct 31, 2011, at 4:08 PM, Big Irish Dog wrote:

> Just an FYI, I just spent about an hour and a half on the phone with Sourcefire Tech Support...  In addition to many standard VRT Snort rules from Sourcefire, I use a large hunk of ET rules as well... so I wanted to bring this to your attention.
> There are 7 rules that use " fast_pattern:only;" option with the "depth" flag.  Apparently one of the most recent SEU's that I downloaded for my sensor network included a new validation check that caused my sensors to all choke on these rules.  Until I can find the time to troubleshoot them and figure out how to use them with the new SEU, I figured I'd pass this note along to you all...
> ________________________________
> cat active_rules.conf | grep -i "fast_pattern:only;" | grep -i "depth" | \less
> alert tcp $EXTERNAL_NET any -> $HOME_NET 12401  (msg:"SCADA IGSS IGSSDataServer.exe file upload/download attempt"; flow:established,to_server; content:"|5C 2E 2E|"; fast_pattern:only; content:"|0D|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; pcre:"/^[\x02\x03]\x00\x00\x00[^\x00]*\x5C\x2E\x2E/R"; classtype:attempted-user; sid:18648; rev:1; )
> alert udp $EXTERNAL_NET any -> $HOME_NET 1900  (msg:"SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; classtype:network-scan; sid:1917; rev:9; )

Those two are VRT sigs. But I don't get it, the fast_patterned match isn't depth modified…. 

> alert tcp $HOME_NET any -> $EXTERNAL_NET any  (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; fast_pattern:only; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:16; )

Fixed last week

> alert tcp $EXTERNAL_NET any -> $HOME_NET any  (msg:"ET TROJAN Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; fast_pattern:only; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:9; )

Fixed last week

> alert tcp $EXTERNAL_NET any -> $HOME_NET any  (msg:"ET TROJAN IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; fast_pattern:only; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:12; )

Fixed last week

> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1025:5000  (msg:"ET TROJAN Possible Web-based DDoS-command being issued"; flow:established,from_server; content:"Server|3a| nginx/0."; offset:17; depth:19; content:"Content-Type|3a| text/html"; content:"|3a|80|3b|"; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lager.Win32; sid:2003296; rev:5; )

Same as above, the fast patterened content match isn't being depth modified, so this ought to work… no? I get no errors out of snort.

> alert tcp $EXTERNAL_NET any -> $HOME_NET 1755  (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; fast_pattern:only; classtype:attempted-dos; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038; sid:2002843; rev:6; )

Same as above, the fast_patten:only 'd string isn't depth modified. 

Joel, you around? Is the check over-zealous or can a fast pattern only rule not have depth *anywhere* in it for new snorts?



> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list