Just an FYI, I just spent about an hour and a half on the phone with Sourcefire Tech Support...  In addition to many standard VRT Snort rules from Sourcefire, I use a large hunk of ET rules as well... so I wanted to bring this to your attention.<br>


<br>There are 7 rules that use &quot; fast_pattern:only;&quot; option with the &quot;depth&quot; flag.  Apparently one of the most recent SEU&#39;s that I downloaded for my sensor network included a new validation check that caused my sensors to all choke on these rules.  Until I can find the time to troubleshoot them and figure out how to use them with the new SEU, I figured I&#39;d pass this note along to you all...<br>

<br>
________________________________<br>cat active_rules.conf | grep -i &quot;fast_pattern:only;&quot; | grep -i &quot;depth&quot; | \less<br><br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 12401  (msg:&quot;SCADA IGSS IGSSDataServer.exe file upload/download attempt&quot;; flow:established,to_server; content:&quot;|5C 2E 2E|&quot;; fast_pattern:only; content:&quot;|0D|&quot;; depth:1; offset:6; content:&quot;|01 00 00 00|&quot;; within:4; distance:7; pcre:&quot;/^[\x02\x03]\x00\x00\x00[^\x00]*\x5C\x2E\x2E/R&quot;; classtype:attempted-user; sid:18648; rev:1; )<br>


<br>alert udp $EXTERNAL_NET any -&gt; $HOME_NET 1900  (msg:&quot;SCAN UPnP service discover attempt&quot;; flow:to_server; content:&quot;M-SEARCH &quot;; depth:9; content:&quot;ssdp|3A|discover&quot;; fast_pattern:only; classtype:network-scan; sid:1917; rev:9; )<br>


<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any  (msg:&quot;ET TROJAN IRC Potential bot command response&quot;; flow:established,to_server; content:&quot;PRIVMSG &quot;; fast_pattern:only; depth:8; content:&quot;|3a|&quot;; within:30; pcre:&quot;/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i&quot;; reference:url,<a href="http://doc.emergingthreats.net/2002033" target="_blank">doc.emergingthreats.net/2002033</a>; classtype:trojan-activity; sid:2002033; rev:16; )<br>


<br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any  (msg:&quot;ET TROJAN Agobot-SDBot Commands&quot;; flow:established,from_server; content:&quot;PRIVMSG|20|&quot;; fast_pattern:only; depth:8; pcre:&quot;/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i&quot;; reference:url,<a href="http://doc.emergingthreats.net/2003157" target="_blank">doc.emergingthreats.net/2003157</a>; classtype:trojan-activity; sid:2003157; rev:9; )<br>


<br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any  (msg:&quot;ET TROJAN IRC pBot PHP Bot Commands&quot;; flow:established,from_server; content:&quot;PRIVMSG|20|&quot;; depth:8; fast_pattern:only; pcre:&quot;/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i&quot;; reference:url,<a href="http://doc.emergingthreats.net/2003208" target="_blank">doc.emergingthreats.net/2003208</a>; classtype:trojan-activity; sid:2003208; rev:12; )<br>


<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET 1025:5000  (msg:&quot;ET TROJAN Possible Web-based DDoS-command being issued&quot;; flow:established,from_server; content:&quot;Server|3a| nginx/0.&quot;; offset:17; depth:19; content:&quot;Content-Type|3a| text/html&quot;; content:&quot;|3a|80|3b|255.255.255.255&quot;; fast_pattern:only; classtype:trojan-activity; reference:url,<a href="http://doc.emergingthreats.net/2003296" target="_blank">doc.emergingthreats.net/2003296</a>; reference:url,<a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lager.Win32" target="_blank">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Lager.Win32</a>; sid:2003296; rev:5; )<br>


<br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 1755  (msg:&quot;ET DOS Microsoft Streaming Server Malformed Request&quot;; flow:established,to_server; content:&quot;MSB &quot;; depth:4; content:&quot;|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|&quot;; fast_pattern:only; classtype:attempted-dos; reference:bugtraq,1282; reference:url,<a href="http://www.microsoft.com/technet/security/bulletin/ms00-038.mspx" target="_blank">www.microsoft.com/technet/security/bulletin/ms00-038.mspx</a>; reference:url,<a href="http://doc.emergingthreats.net/bin/view/Main/2002843" target="_blank">doc.emergingthreats.net/bin/view/Main/2002843</a>; reference:url,<a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038" target="_blank">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038</a>; sid:2002843; rev:6; )<br>