Snort mailing list archives
Re: Unknown rule option sip_header
From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 1 Oct 2014 16:26:36 +0000
We had this bite us.. we came in the morning and found the sensors all off. We just disabled the rule, since like you, sip doesn't transverse our links. On Oct 1, 2014 10:07 AM, "James Lay" <jlay () slave-tothe-box net> wrote:
On 2014-10-01 09:40, Y M wrote:To: snort-users () lists sourceforge net Date: Wed, 1 Oct 2014 08:09:10 -0600 From: jlay () slave-tothe-box net Subject: [Snort-users] Unknown rule option sip_header Oct 1 14:02:31 192.168.1.1 snort[5722]: FATAL ERROR: /etc/snort/rules/snort.rules(31729) Unknown rule option:'sip_header'.alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS(msg:"OS-OTHERBash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy balanced-ips drop,policysecurity-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:1;) Anyone else seeing this?Running fine on my side. Is the SIP preprocessor enabled? YMJamesIt is not....SIP will never traverse this specific link, so in an effort to optimize and remove unneeded functionality I disabled it. Are we saying that I MUST have this preprocessor running? Thanks YM. James ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Joel Esler (jesler) (Oct 01)
- Re: Unknown rule option sip_header Jeremy Hoel (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header Shirkdog (Oct 01)
- Re: Unknown rule option sip_header James Lay (Oct 01)
- Re: Unknown rule option sip_header Y M (Oct 01)
- Re: Unknown rule option sip_header waldo kitty (Oct 01)