This sounds like its a good candidate for moving to deleted. The rsync
protocol is pretty unstructured in places and essentially requires a
preprocessor to parse and deal with effectively. We'll give rsync 2.5.6
and 2.5.7 a diff check out the heap overflow and see if it's fixable, if
not we'll move it to deleted. In the mean time I'd suggest disabling it
in your environment.
Cheers,
-matt
Christiaan Ehlers wrote:
Hi thanks for the response, It's a bit of a dumb error on my side!
Now I have the problem that I get a lot of false possitives on my rsync.
All the rsync traffic is legit (I am very sure of this since I
personally triggerd all the alerts from my rsync client!)...
Could this be due to little/big endian issue between the client and
server? Anybody know the format of the rsync packet?
-----Original Message-----
From: snort-sigs-bounces@lists.sourceforge.net
[mailto:snort-sigs-bounces@lists.sourceforge.net] On Behalf Of Nigel
Houghton
Sent: 30 July 2007 19:12
To: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] rsync problem
On 0, Christiaan Ehlers <Christiaan.Ehlers@inclarity.co.uk> wrote:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
length =3D 4
000 : A4 00 00 00 ....
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
If we step through this rule we see that first 2 bytes are A4 which
is
not more than 4000! The rest of the rule is satisfied though...
The first two bytes are "A4 00" which is decimal 41984.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
