[Emerging-Sigs] Rules Syntax problem: fast_pattern:only;

Joel Esler jesler at sourcefire.com
Mon Oct 31 15:22:25 EST 2011

The first two rules are ours (VRT) 18648 and 1917.  They are both correct.
The ET rules with the sids of 2003296 and 2002843 should also be correct.
Rules 2002033, 2003157, and 2003208, however, are wrong.  Snort should error on these when attempting to start, as you found out.

You can't use fast_pattern:only with a "placement" modifier (depth, distance, offset, within).

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Oct 31, 2011, at 4:08 PM, Big Irish Dog wrote:

> Just an FYI, I just spent about an hour and a half on the phone with Sourcefire Tech Support...  In addition to many standard VRT Snort rules from Sourcefire, I use a large hunk of ET rules as well... so I wanted to bring this to your attention.
> There are 7 rules that use " fast_pattern:only;" option with the "depth" flag.  Apparently one of the most recent SEU's that I downloaded for my sensor network included a new validation check that caused my sensors to all choke on these rules.  Until I can find the time to troubleshoot them and figure out how to use them with the new SEU, I figured I'd pass this note along to you all...
> ________________________________
> cat active_rules.conf | grep -i "fast_pattern:only;" | grep -i "depth" | \less
> alert tcp $EXTERNAL_NET any -> $HOME_NET 12401  (msg:"SCADA IGSS IGSSDataServer.exe file upload/download attempt"; flow:established,to_server; content:"|5C 2E 2E|"; fast_pattern:only; content:"|0D|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; pcre:"/^[\x02\x03]\x00\x00\x00[^\x00]*\x5C\x2E\x2E/R"; classtype:attempted-user; sid:18648; rev:1; )
> alert udp $EXTERNAL_NET any -> $HOME_NET 1900  (msg:"SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; classtype:network-scan; sid:1917; rev:9; )
> alert tcp $HOME_NET any -> $EXTERNAL_NET any  (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; fast_pattern:only; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:16; )
> alert tcp $EXTERNAL_NET any -> $HOME_NET any  (msg:"ET TROJAN Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; fast_pattern:only; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:9; )
> alert tcp $EXTERNAL_NET any -> $HOME_NET any  (msg:"ET TROJAN IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; fast_pattern:only; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:12; )
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1025:5000  (msg:"ET TROJAN Possible Web-based DDoS-command being issued"; flow:established,from_server; content:"Server|3a| nginx/0."; offset:17; depth:19; content:"Content-Type|3a| text/html"; content:"|3a|80|3b|"; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lager.Win32; sid:2003296; rev:5; )
> alert tcp $EXTERNAL_NET any -> $HOME_NET 1755  (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; fast_pattern:only; classtype:attempted-dos; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038; sid:2002843; rev:6; )
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111031/9418e9d2/attachment.html

More information about the Emerging-sigs mailing list