Re: Unknown rule option sip_header

[waldo kitty <wkitty42 () windstream net>]

On 10/1/2014 1:04 PM, James Lay wrote:
> On 2014-10-01 10:56, Shirkdog wrote:
> > If not you will need to disable that rule. You can used pullpork to
> > keep that signature disabled on rule updates.
> >
> > On Oct 1, 2014 12:07 PM, "James Lay" <jlay () slave-tothe-box net [8]>
> > wrote:
> >
> > > On 2014-10-01 09:40, Y M wrote:
> > > > > To: snort-users () lists sourceforge net [1]
> > > > > Date: Wed, 1 Oct 2014 08:09:10 -0600
> > > > > From: jlay () slave-tothe-box net [2]
> > > > > Subject: [Snort-users] Unknown rule option sip_header
> > > > >
> > > > > Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR:
> > > > > /etc/snort/rules/snort.rules(31729) Unknown rule option:
> > > > sip_header.
> > > > > alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS
> > > > (msg:"OS-OTHER
> > > > > Bash environment variable injection attempt"; flow:stateless;
> > > > > sip_header; content:"() {"; metadata:policy balanced-ips drop,
> > > > policy
> > > > > security-ips drop, ruleset community, service sip;
> > > > > reference:cve,2014-6271; reference:cve,2014-7169;
> > > > > classtype:attempted-admin; sid:32041; rev:1;)
> > > > >
> > > > > Anyone else seeing this?
> > > >
> > > > Running fine on my side. Is the SIP preprocessor enabled?
> > > >
> > > > YM
> > > >
> > > > > James
> > >
> > > It is not....SIP will never traverse this specific link, so in an
> > > effort to optimize and remove unneeded functionality I disabled
> > > it.  Are
> > > we saying that I MUST have this preprocessor running?  Thanks YM.
> > >
> > > James
>
> Indeed that has been done.  But that's for THIS time...what about the
> next time a rule pops up with sip_headers;?  Snort will FATAL ERROR and
> sensors will go down (reason #1243 why I have my pulled pork processes
> run while I'm at work to see it happen).

unless i'm mistaken, pulledpork has a pcre matching capability that can be used 
to locate rules with matching content and then modify them... in this case, 
matching on ^alert followed by sip_ might be a place to start... them modify the 
rule to change alert to #alert unless the pcre works in PP's disablesid stuff... 
i haven't run PP so this is an eWAG based on "list discussions knowledge"...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!