snort fails at startup due to rule

zuessh · 12-05-2003, 12:31 PM

Any ideas as to why snort is failing at startup due to this ruleset? it is the exploits ruleset? The error I am receiving is; ./exploit.rules(8) => Unknow keywork "flow" in rule! Any ideas or suggestions? Thanks

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flags:A+; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:2;) Disable Edit Delete
2 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1325; rev:2;) Disable Edit Delete
3 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:2;) Disable Edit Delete
4 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; content:"|FF FF FF FF 00 00|"; offset:8; depth:14; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1327; rev:2;) Disable Edit Delete
5 alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7 client overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: A+; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,215; classtype:attempted-user; sid:283; rev:4;) Disable Edit Delete
6 alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"EXPLOIT pop2 x86 linux overflow"; flags:A+; content:"|eb2c 5b89 d980 c106 39d9 7c07 8001|"; classtype:attempted-admin; sid:284; rev:3;) Disable Edit Delete
7 alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"EXPLOIT pop2 x86 linux overflow"; flags:A+; content:"|ffff ff2f 4249 4e2f 5348 00|"; classtype:attempted-admin; sid:285; rev:2;) Disable Edit Delete
8 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 bsd overflow"; flags:A+; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:2;) Disable Edit Delete
9 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 bsd overflow"; flags:A+; content:"|685d 5eff d5ff d4ff f58b f590 6631|"; classtype:attempted-admin; sid:287; rev:2;) Disable Edit Delete
10 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 linux overflow"; flags:A+; content:"|d840 cd80 e8d9 ffff ff|/bin/sh"; classtype:attempted-admin; sid:288; rev:2;) Disable Edit Delete
11 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 sco overflow"; flags:A+; content:"|560e 31c0 b03b 8d7e 1289 f989 f9|"; classtype:attempted-admin; sid:289; rev:2;) Disable Edit Delete
12 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT qpopper overflow"; flags:A+; content:"|E8 D9FF FFFF|/bin/sh"; reference:bugtraq,830; reference:cve,CAN-1999-0822; classtype:attempted-admin; sid:290; rev:3;) Disable Edit Delete
13 alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"EXPLOIT NNTP Cassandra Overflow"; flags:A+; content: "AUTHINFO USER"; nocase; dsize: >512; depth: 16; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-user; sid:291; rev:3;) Disable Edit Delete
14 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 linux samba overflow"; flags:A+; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"; reference:bugtraq,1816; reference:cve,CVE-1999-0811; reference:cve,CVE-1999-0182; classtype:attempted-admin; sid:292; rev:3;) Disable Edit Delete
15 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap overflow"; flags:A+; content:"|E8 C0FF FFFF|/bin/sh"; classtype:attempted-admin; sid:293; rev:2;) Disable Edit Delete
16 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|89d8 40cd 80e8 c8ff ffff|/";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:295; rev:2;) Disable Edit Delete
17 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:296; rev:2;) Disable Edit Delete
18 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:297; rev:2;) Disable Edit Delete
19 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb38 5e89f389d880460120804602|"; reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:298; rev:2;) Disable Edit Delete
20 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:2;) Disable Edit Delete
21 alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 solaris overflow"; flags:A+; content:"|eb23 5e33 c088 46fa 8946 f589 36|"; classtype:attempted-admin; sid:300; rev:3; reference:bugtraq,2319;) Disable Edit Delete
22 alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flags:A+; content: "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A|"; reference:cve,CVE-2000-0917; reference:bugtraq,1712; classtype:attempted-admin; sid:301; rev:3;) Disable Edit Delete
23 alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT redhat 7.0 lprd overflow"; flags:A+; content:"|58 58 58 58 25 2E 31 37 32 75 25 33 30 30 24 6E|"; classtype:attempted-admin; sid:302; rev:2;) Disable Edit Delete
24 alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT sco calserver overflow"; flags:A+; content:"|eb7f 5d55 fe4d 98fe 4d9b|"; reference:cve,CVE-2000-0306; reference:bugtraq,2353; classtype:attempted-admin; sid:304; rev:4;) Disable Edit Delete
25 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flags:A+; content: "whois|3a|//"; nocase; dsize: >1000; reference:arachnids,267; classtype:attempted-admin; sid:305; rev:4; reference:bugtraq,808; reference:cve,CVE-2000-0165;) Disable Edit Delete
26 alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flags:A+; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,CAN-2000-0766; classtype:attempted-admin; sid:306; rev:3;) Disable Edit Delete
27 alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT IRC topic overflow"; flags:A+; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573; classtype:attempted-user; sid:307; rev:3;) Disable Edit Delete
28 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPLOIT NextFTP client overflow"; flags:A+; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|"; reference:bugtraq,572; reference:cve,CVE-1999-0671; classtype:attempted-user; sid:308; rev:4;) Disable Edit Delete
29 alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT sniffit overflow"; flags: A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: >512; reference:bugtraq,1158; reference:cve,CAN-2000-0343; reference:arachnids,273; classtype:attempted-admin; sid:309; rev:2;) Disable Edit Delete
30 alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flags:A+; content:"|eb45 eb20 5bfc 33c9 b182 8bf3 802b|"; reference:bugtraq,2312; reference:cve,CVE-1999-0404; classtype:attempted-admin; sid:310; rev:3;) Disable Edit Delete
31 alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT netscape 4.7 unsucessful overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags:A+; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,214; classtype:unsuccessful-user; sid:311; rev:4;) Disable Edit Delete
32 alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize: >128; reference:arachnids,492; classtype:attempted-admin; sid:312; rev:1;) Disable Edit Delete
33 alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 linux overflow"; content:"|0103 0000 0000 0001 0002 02e8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:2;) Disable Edit Delete
34 alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; flags:A+; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:6;) Disable Edit Delete
35 alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; classtype:attempted-admin; sid:314; rev:5; reference:cve,CVE-2001-0010; reference:bugtraq,2302;) Disable Edit Delete
36 alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 8946|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:315; rev:2;) Disable Edit Delete
37 alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:316; rev:2;) Disable Edit Delete
38 alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:317; rev:2;) Disable Edit Delete
39 alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overflow"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|"; classtype:attempted-admin; sid:318; rev:2; reference:bugtraq,324; reference:cve,CVE-1999-0914;) Disable Edit Delete
40 alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|"; reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798; reference:cve,CAN-1999-0389; classtype:attempted-admin; sid:319; rev:1;) Disable Edit Delete
41 alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flags:A+; content:"|0131 DBCD 80E8 5BFF FFFF|"; reference:bugtraq,1252; reference:cve,CVE-2000-0446; classtype:attempted-admin; sid:1240; rev:2;) Disable Edit Delete
42 alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT aix pdnsd overflow"; flags:A+; content:"|7FFF FB78 7FFF FB78 7FFF FB78 7FFF FB78|"; content:"|408A FFC8 4082 FFD8 3B36 FE03 3B76 FE02|"; dsize:>1000; reference:cve,CVE-1999-0745; reference:bugtraq,3237; classtype:attempted-user; sid:1261; rev:3;) Disable Edit Delete
43 alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flags:A+; content:"-soa %p"; reference:cve,CAN-2001-0838; reference:bugtraq,3474; classtype:misc-attack; sid:1323; rev:3;) Disable Edit Delete
44 alert tcp any any -> any 6667 (msg:"EXPLOIT Ettercap IRC parse overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:3;) Disable Edit Delete
45 alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flags:A+; content:"1"; offset:10; depth:1; content:!"000"; offset:11; depth:3; reference:cve,CAN-2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:4;) Disable Edit Delete
46 alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flags:A+; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; classtype:misc-attack; reference:bugtraq,4631; sid:1751; rev:1;) Disable Edit Delete
47 alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM"; Enable Edit Delete
48 alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM"; Enable Edit Delete
49 alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM";

moonloader · 12-05-2003, 12:43 PM

update your rule files or /etc/snort/snort-lib to config or reinstall

unSpawn · 12-06-2003, 08:49 AM

And what version of Snort are you running? If it's a 1.8.x or 1.9.x then upgrade to 2.0.3 (IIRC). *If you then get probs with "pcre" you have to patch manually from snort.org/contrib.