Hi
I have a problem with the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow
attempt"; flow:to_server,established; byte_test:2,>,4000,0; content:"|00
00|"; depth:2; offset:2; reference:bugtraq,9153;
reference:cve,2003-0962; reference:nessus,11943;
classtype:misc-activity; sid:2048; rev:7;)
The byte_test command "byte_test:2,>,4000,0" seems suspect to me. As
far as I understand it, it says "compare the value of the first 2 bytes
in the packet payload and see if it is greater than 4000". I don't
think the value of 2 bytes will ever be more than 4000??
What is stranger is that nearly ALL my rsync traffic triggers on this
rule!!!
Here is a sample of a payload that triggers:
========================
length = 4
000 : A4 00 00 00 ....
========================
If we step through this rule we see that first 2 bytes are A4 which is
not more than 4000! The rest of the rule is satisfied though...
I am pretty new to the snort rule writing, so I am betting on a gap in
my knowledge causing this missunderstanding but I just can't figgure it
out!
Thanks in advance for any help on this.
Kind Regards
Christiaan Ehlers
Systems Administrator
Inclarity plc * 7th Floor * Olympic Office Centre * 8 Fulton Road *
Wembley * Middlesex * HA9 0NU
Tel: +44 (0) 208 634 0445
Mob: +44 (0) 777 913 7962
Fax: +44 (0) 208 634 9145
Email: christiaan.ehlers@inclarity.co.uk
Web: www.inclarity.co.uk <http://www.inclarity.co.uk/>
Disclaimer
==========================================
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check
this email and any attachments for the presence of viruses. The
company accepts no liability for any damage caused by any virus
transmitted by this email.
Inclarity Ltd.
Registered Office: Olympic Office Centre, Fulton Road, Wembley,
Middlesex, HA9 0NU
Telephone: + 44 (0)845 698 0800
Fax: + 44 (0)845 698 1000
Registered Company No. 02673204
==========================================
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
