Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-sigs] Bleeding rules virus and threshold issue

from [Mark Scott] Network Security [Permanent Link]
Subject: RE: [Snort-sigs] Bleeding rules virus and threshold issue
Date: Mon, 21 Feb 2005 18:33:16 -0600 
This is probably too simple, but once I saw this on a box and somehow a
double copy of rules was posted to the same file. I think you said if you
removed VIRUS, things worked. Have you looked at the virus file and made sure
of no dups or do a md5 to check.

 Regards,

Mark

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of James Lay
Sent: Monday, February 21, 2005 6:30 PM
To: 'Matt Jonkman'
Cc: 'Snort-Sigs (E-mail)
Subject: RE: [Snort-sigs] Bleeding rules virus and threshold issue

Matt,

Newp...I just updated the bleeding rules just now for giggles...same
thing...really wild.  Here's the config file sans sensative stuff ;)

------------------START-------------------
var HOME_NET [24.116.255.102/32,192.168.0.0/24]
var INTERNAL [24.116.255.102/32,192.168.0.0/24]
var EXTERNAL_NET !$HOME_NET
var EXTERNAL !$HOME_NET
var DNS_SERVERS [24.116.255.102,192.168.0.1] var SMTP_SERVERS
[24.116.255.102,192.168.0.1] var HTTP_SERVERS $HOME_NET
[24.116.255.102,192.168.0.1] var SQL_SERVERS 127.0.0.1 var TELNET_SERVERS
127.0.0.1 var SNMP_SERVERS 127.0.0.1 var HTTP_PORTS 80 var SHELLCODE_PORTS
!80 var ORACLE_PORTS 1521 var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20
5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,2
05.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
config layer2resets: 00:04:75:80:DC:08
preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor
stream4: detect_state_problems, disable_evasion_alerts preprocessor
stream4_reassemble: both, ports [all] preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 } oversize_dir_length 500 preprocessor
rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor
flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [24.116.255.102/32] \
        server-ignore-limit 200 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 4 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [192.168.1.1/32,192.168.0.0/24,24.116.255.102/32] \
        alert-mode once \
        output-mode msg \
        tcp-penalties on
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         ignore_scanners { 24.116.255.102 } \
                         sense_level { low }
output alert_syslog: LOG_AUTH LOG_ALERT
include /etc/snort/classification.config include /etc/snort/reference.config
include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include
$RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include
$RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include
$RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include
$RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include
$RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include
$RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include
$RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include
$RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include
$RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include
$RULE_PATH/sql.rules include $RULE_PATH/x11.rules include
$RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include
$RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include
$RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include
$RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include
$RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include
$RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include
$RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include
$RULE_PATH/backdoor.rules include $RULE_PATH/policy.rules include
$RULE_PATH/porn.rules include $RULE_PATH/icmp-info.rules include
$RULE_PATH/virus.rules include $RULE_PATH/experimental.rules include
$RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-custom.rules include
$RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-scan.rules include
$RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-web.rules include
$RULE_PATH/bleeding.rules include $RULE_PATH/bleeding-malware.rules include
$RULE_PATH/bleeding-virus.rules include
$RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/homebox.rules
include $RULE_PATH/vision18.rules
include /etc/snort/threshold.conf
---------------END-----------------

Thanks Gents!!

James

-----Original Message-----
From: Matt Jonkman [mailto:matt@infotex.com]
Sent: Monday, February 21, 2005 8:27 AM
To: James Lay
Cc: 'Snort-Sigs (E-mail)
Subject: Re: [Snort-sigs] Bleeding rules virus and threshold issue


Do you have the ruleset mentioned twice in your snort.conf?

Snort will load it twice if you do.

If that's not the case please send a snippet of the non-sensitive portions of
your snort.conf and we can get you fixed up.

Matt

James Lay wrote:

Hrmm

I thought the same thing so I grepped 2001578 in /etc/snort and
/etc/snort/rules:

[07:58:07 jlay@homebox:/etc/snort$] grep 2001578 *
sid-msg.map:2001578 || BLEEDING-EDGE Sober.I Worm outbound detected
[07:58:17 jlay@homebox:/etc/snort$] cd rules
[07:58:26 jlay@homebox:/etc/snort/rules$] grep 2001578 * 
bleeding-virus.rules:#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 
(msg:"BLEEDING-EDGE Sober *nuked the rest so I don't set off the rule* 
;)

Any other thoughts?

-----Original Message-----
From: Matt Jonkman [mailto:matt@infotex.com]
Sent: Saturday, February 19, 2005 11:43 AM
To: James Lay
Cc: 'Snort-Sigs (E-mail)
Subject: Re: [Snort-sigs] Bleeding rules virus and threshold issue


This isn't unusual, you can only have one threshold entry per sid. I'd 
guess you're loading the sigs twice for some reason? Maybe for dual 
http ports or smtp ports variables or something?

At any rate, if you remove the duplicate signatures this'll go away. 
if you need to run with several variables I'd recommend a second 
instance of snort with a a pcap expression limiting to just that port, 
and running just the rules relevant. Lots more efficient I think.

Matt

James Lay wrote:


Hey folks!

Just upgraded to 2.3.0 and here's what I get with

Feb 19 08:22:43 ns1 snort: FATAL ERROR: Rule-Threshold-Parse: could 
not create a threshold object -- only one per sid, sid = 2001578 Feb 
19 08:24:19 ns1 snort: FATAL ERROR: Rule-Threshold-Parse: could not 
create a threshold object -- only one per sid, sid = 2001573

after nuking all entries in bleeding-virus.rules with "threshold: type 
limit" in them snort would fire up.  Any thoughts on this?

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Semper Vigilans!!!



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid 
reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] Symantec vulnerability, Rowland, Krisa W ERDC-ITL-MS Contractor
Previous by Thread:  RE: [Snort-sigs] Bleeding rules virus and threshold issue, Frank Knobbe
Next by Thread:  [Snort-sigs] sid 2586 False positive documentation, Burtoft, Jim
Indexes:  [Date] [Thread] [Top] [All Lists]