Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort load error with rule sid 21349

From: Jon Larson <jon () catbird com>
Date: Wed, 28 Nov 2012 18:50:06 -0800
The latest server-other.rules file contains this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET [1024,5555] (msg:"SERVER-OTHER 
HP OpenView Storage Data Protector stack overflow attempt"; 
flow:to_server,established; content:"|FF FE 32 00 36 00 37 00 00 00|"; 
depth:10; offset:4; isdataat:80,relative; 
pcre:"/^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})/R";
 
metadata:policy security-ips drop; reference:bugtraq,37250; 
reference:cve,2009-3844; reference:url,osvdb.org/60852; 
classtype:attempted-admin; sid:21349; rev:2;)

I include this in my snort.conf.  Then when I do "service snortd start" 
it fails and this error is in /var/log/messages:

snort[8808]: FATAL ERROR: /opt/catbird/lib/snort/server-other.rules(382) 
: pcre compile of 
"^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})"
 
failed at offset 243 : repeated subpattern is too long

Here is the version information:
sbin/snort -V

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.3 IPv6 GRE (Build 37)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
            Using libpcap version 1.0.0
            Using PCRE version: 6.6 06-Feb-2006
            Using ZLIB version: 1.2.3

Any and all help would be greatly appreciated!
Jonny L.



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
TUNE You got it built. Now make it sing. Tune shows you how.
http://goparallel.sourceforge.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: