Snort mailing list archives
RE: Flowbits
From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Tue, 24 Feb 2004 11:11:01 -0500
I did on a Solaris installation. I removed the flowbits section from the rules just to get things going again. Not sure how to enable that functionality yet. Best regards, Michael D. Peters -----Original Message----- From: Douglas McCrea [mailto:dmccrea () rutgers edu] Sent: Tuesday, February 24, 2004 10:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Flowbits I'm running Snort 2.1 on Windows 2000 and I'm getting the following error after changing my ruleset to snortrules-snapshot-2_1.tar.gz from current: ERROR: Warning: ../rules/netbios.rules(30) => Unknown keyword ' flowbits' in rule! Fatal Error, Quitting.. Here's the six new rules causing the problem: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0352; classtype:protocol-command-decode; sid:2192; rev:2;) alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; distance:0; within:1; content:"|0c|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00 00|"; distance:33; within:2; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:cve,CAN-2003-0352; classtype:protocol-command-decode; sid:2350; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; distance:0; within:1; byte_test:1,<,16,3,relative; content:"|5c 00 5c 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2352; rev:1;) alert tcp any any -> any 445 (msg:"NETBIOS SMB DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 00 00 05 00 0b|"; distance:5; within:17; byte_test:1,&,16,1,relative; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|"; distance:29; within:16; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:1;) alert tcp any any -> any 445 (msg:"NETBIOS DCE/RPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:1; content:"|00|"; distance:1; within:1; byte_test:1,&,3,0,relative; content:"|00 00|"; distance:19; within:2; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:1;) These rules were obtained from the snortrules-snapshot-2_1.tar.gz ruleset. Is anyone else having problems with this? Thanks Doug ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flowbits Douglas McCrea (Feb 24)
- <Possible follow-ups>
- RE: Flowbits Peters, Michael D. (Feb 24)
- Re: Flowbits Joe Matusiewicz (Feb 24)
- Re: flowbits adam (Feb 24)
- Re: Re: flowbits Andreas Östling (Feb 24)
- RE: Re: flowbits Douglas McCrea (Feb 24)
- Re: flowbits adam (Feb 24)