Home page logo

snort logo Snort mailing list archives

Re: Possible FP 17363
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 26 Oct 2010 08:48:01 -0600

Thank you.




url =

url =

path = /bin:/usr/bin:/usr/local/bin

update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$

skipfile local.rules

skipfile deleted.rules

skipfile snort.conf



The snort.conf file is kinda beefy...what's the best method to put this
online?  Thanks again.




From: Weir, Jason [mailto:jason.weir () nhrs org] 
Sent: Tuesday, October 26, 2010 8:21 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Possible FP 17363


have to see your oinkmaster.conf and snort.con



        -----Original Message-----
        From: Lay, James [mailto:james.lay () wincofoods com] 
        Sent: Tuesday, October 26, 2010 10:13 AM
        To: snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363

        Hrmm....that's confusing then...oinkmaster says:


        Loading /usr/local/etc/snort/oinkmaster.conf

        Downloading file from
ot-2900.tar.gz... done.

        Archive successfully downloaded, unpacking... done.

        Downloading file from
ar.gz... done.

        Archive successfully downloaded, unpacking... done.

        Setting up rules structures... done.

        Processing downloaded rules... disabled 8, enabled 0, modified
0, total=21693

        Setting up rules structures... done.

        Comparing new files to the old ones... done.

        Updating local rules files... done.



        [08:11:48 me () ids:~/rules$] sudo grep 17363 *.rules

        web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS ->
$HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG volume name
memory corruption"; flow:to_client,established; content:"|4C 41 42 4C|";
byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy
security-ips drop, service http; reference:cve,2007-0197;
classtype:attempted-user; sid:17363; rev:1;)


        Are rules not getting updated in 2900?  Or is my oinkmaster not
doing what it's supposed to do?  Thanks for any help.




        From: Alex Kirk [mailto:akirk () sourcefire com] 
        Sent: Monday, October 25, 2010 10:44 AM
        To: rmkml
        Cc: Lay, James; snort-sigs () lists sourceforge net; rmkml () free fr
        Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
        Importance: Low


        Actually, this rule is currently at rev:3 - adding a flowbit
check and some additional bytes to the content match - due to earlier
false positive reports. If you get further FPs with the current revision
of the rule, please let us know.

        On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr> wrote:

        Hi James,
        maybe for "small" reduce FP add "isdataat:255,relative;" after
        another maybe null byte are separator? and instead
"isdataat:255,relative; content:!"|00|"; within:255;" ?

Please visit www.nhrs.org to subscribe to NHRS email announcements and
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]