Re: Unknown rule option sip_header

[James Lay <jlay () slave-tothe-box net>]

On 2014-10-01 10:56, Shirkdog wrote:
> If not you will need to disable that rule. You can used pullpork to
> keep that signature disabled on rule updates.
>
> On Oct 1, 2014 12:07 PM, "James Lay" <jlay () slave-tothe-box net [8]>
> wrote:
>
> > On 2014-10-01 09:40, Y M wrote:
> > > > To: snort-users () lists sourceforge net [1]
> > > > Date: Wed, 1 Oct 2014 08:09:10 -0600
> > > > From: jlay () slave-tothe-box net [2]
> > > > Subject: [Snort-users] Unknown rule option sip_header
> > > >
> > > > Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR:
> > > > /etc/snort/rules/snort.rules(31729) Unknown rule option:
> > > sip_header.
> > > > alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS
> > > (msg:"OS-OTHER
> > > > Bash environment variable injection attempt"; flow:stateless;
> > > > sip_header; content:"() {"; metadata:policy balanced-ips drop,
> > > policy
> > > > security-ips drop, ruleset community, service sip;
> > > > reference:cve,2014-6271; reference:cve,2014-7169;
> > > > classtype:attempted-admin; sid:32041; rev:1;)
> > > >
> > > > Anyone else seeing this?
> > >
> > > Running fine on my side. Is the SIP preprocessor enabled?
> > >
> > > YM
> > >
> > > > James
> >
> > It is not....SIP will never traverse this specific link, so in an
> > effort to optimize and remove unneeded functionality I disabled
> > it.  Are
> > we saying that I MUST have this preprocessor running?  Thanks YM.
> >
> > James

Indeed that has been done.  But that's for THIS time...what about the 
next time a rule pops up with sip_headers;?  Snort will FATAL ERROR and 
sensors will go down (reason #1243 why I have my pulled pork processes 
run while I'm at work to see it happen).  Which is why in the long 
rung...I'd rather have snort continue to run even with an errored rule, 
then not at all.  I'll see the FATAL ERROR in my log, and get an email, 
but at least the rest of IDS functionality.  My other option is to just 
sed 's/sip_headers;//' the snort.rules file right before it gets copied 
over...which I may end up doing.

James


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!