LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-05-2003, 12:31 PM   #1
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Rep: Reputation: 30
snort fails at startup due to rule


Any ideas as to why snort is failing at startup due to this ruleset? it is the exploits ruleset? The error I am receiving is; ./exploit.rules(8) => Unknow keywork "flow" in rule! Any ideas or suggestions? Thanks




alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flags:A+; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:2;) Disable Edit Delete
2 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1325; rev:2;) Disable Edit Delete
3 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:2;) Disable Edit Delete
4 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; content:"|FF FF FF FF 00 00|"; offset:8; depth:14; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1327; rev:2;) Disable Edit Delete
5 alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7 client overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: A+; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,215; classtype:attempted-user; sid:283; rev:4;) Disable Edit Delete
6 alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"EXPLOIT pop2 x86 linux overflow"; flags:A+; content:"|eb2c 5b89 d980 c106 39d9 7c07 8001|"; classtype:attempted-admin; sid:284; rev:3;) Disable Edit Delete
7 alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"EXPLOIT pop2 x86 linux overflow"; flags:A+; content:"|ffff ff2f 4249 4e2f 5348 00|"; classtype:attempted-admin; sid:285; rev:2;) Disable Edit Delete
8 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 bsd overflow"; flags:A+; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:2;) Disable Edit Delete
9 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 bsd overflow"; flags:A+; content:"|685d 5eff d5ff d4ff f58b f590 6631|"; classtype:attempted-admin; sid:287; rev:2;) Disable Edit Delete
10 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 linux overflow"; flags:A+; content:"|d840 cd80 e8d9 ffff ff|/bin/sh"; classtype:attempted-admin; sid:288; rev:2;) Disable Edit Delete
11 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT pop3 x86 sco overflow"; flags:A+; content:"|560e 31c0 b03b 8d7e 1289 f989 f9|"; classtype:attempted-admin; sid:289; rev:2;) Disable Edit Delete
12 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"EXPLOIT qpopper overflow"; flags:A+; content:"|E8 D9FF FFFF|/bin/sh"; reference:bugtraq,830; reference:cve,CAN-1999-0822; classtype:attempted-admin; sid:290; rev:3;) Disable Edit Delete
13 alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"EXPLOIT NNTP Cassandra Overflow"; flags:A+; content: "AUTHINFO USER"; nocase; dsize: >512; depth: 16; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-user; sid:291; rev:3;) Disable Edit Delete
14 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 linux samba overflow"; flags:A+; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"; reference:bugtraq,1816; reference:cve,CVE-1999-0811; reference:cve,CVE-1999-0182; classtype:attempted-admin; sid:292; rev:3;) Disable Edit Delete
15 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap overflow"; flags:A+; content:"|E8 C0FF FFFF|/bin/sh"; classtype:attempted-admin; sid:293; rev:2;) Disable Edit Delete
16 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|89d8 40cd 80e8 c8ff ffff|/";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:295; rev:2;) Disable Edit Delete
17 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:296; rev:2;) Disable Edit Delete
18 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:297; rev:2;) Disable Edit Delete
19 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb38 5e89f389d880460120804602|"; reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:298; rev:2;) Disable Edit Delete
20 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPLOIT imap x86 linux overflow"; flags:A+; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:2;) Disable Edit Delete
21 alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 solaris overflow"; flags:A+; content:"|eb23 5e33 c088 46fa 8946 f589 36|"; classtype:attempted-admin; sid:300; rev:3; reference:bugtraq,2319;) Disable Edit Delete
22 alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flags:A+; content: "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A|"; reference:cve,CVE-2000-0917; reference:bugtraq,1712; classtype:attempted-admin; sid:301; rev:3;) Disable Edit Delete
23 alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT redhat 7.0 lprd overflow"; flags:A+; content:"|58 58 58 58 25 2E 31 37 32 75 25 33 30 30 24 6E|"; classtype:attempted-admin; sid:302; rev:2;) Disable Edit Delete
24 alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT sco calserver overflow"; flags:A+; content:"|eb7f 5d55 fe4d 98fe 4d9b|"; reference:cve,CVE-2000-0306; reference:bugtraq,2353; classtype:attempted-admin; sid:304; rev:4;) Disable Edit Delete
25 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flags:A+; content: "whois|3a|//"; nocase; dsize: >1000; reference:arachnids,267; classtype:attempted-admin; sid:305; rev:4; reference:bugtraq,808; reference:cve,CVE-2000-0165;) Disable Edit Delete
26 alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flags:A+; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,CAN-2000-0766; classtype:attempted-admin; sid:306; rev:3;) Disable Edit Delete
27 alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT IRC topic overflow"; flags:A+; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573; classtype:attempted-user; sid:307; rev:3;) Disable Edit Delete
28 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPLOIT NextFTP client overflow"; flags:A+; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|"; reference:bugtraq,572; reference:cve,CVE-1999-0671; classtype:attempted-user; sid:308; rev:4;) Disable Edit Delete
29 alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT sniffit overflow"; flags: A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: >512; reference:bugtraq,1158; reference:cve,CAN-2000-0343; reference:arachnids,273; classtype:attempted-admin; sid:309; rev:2;) Disable Edit Delete
30 alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flags:A+; content:"|eb45 eb20 5bfc 33c9 b182 8bf3 802b|"; reference:bugtraq,2312; reference:cve,CVE-1999-0404; classtype:attempted-admin; sid:310; rev:3;) Disable Edit Delete
31 alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT netscape 4.7 unsucessful overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags:A+; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,214; classtype:unsuccessful-user; sid:311; rev:4;) Disable Edit Delete
32 alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize: >128; reference:arachnids,492; classtype:attempted-admin; sid:312; rev:1;) Disable Edit Delete
33 alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 linux overflow"; content:"|0103 0000 0000 0001 0002 02e8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:2;) Disable Edit Delete
34 alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; flags:A+; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:6;) Disable Edit Delete
35 alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; classtype:attempted-admin; sid:314; rev:5; reference:cve,CVE-2001-0010; reference:bugtraq,2302;) Disable Edit Delete
36 alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 8946|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:315; rev:2;) Disable Edit Delete
37 alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:316; rev:2;) Disable Edit Delete
38 alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:317; rev:2;) Disable Edit Delete
39 alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overflow"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|"; classtype:attempted-admin; sid:318; rev:2; reference:bugtraq,324; reference:cve,CVE-1999-0914;) Disable Edit Delete
40 alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|"; reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798; reference:cve,CAN-1999-0389; classtype:attempted-admin; sid:319; rev:1;) Disable Edit Delete
41 alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flags:A+; content:"|0131 DBCD 80E8 5BFF FFFF|"; reference:bugtraq,1252; reference:cve,CVE-2000-0446; classtype:attempted-admin; sid:1240; rev:2;) Disable Edit Delete
42 alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT aix pdnsd overflow"; flags:A+; content:"|7FFF FB78 7FFF FB78 7FFF FB78 7FFF FB78|"; content:"|408A FFC8 4082 FFD8 3B36 FE03 3B76 FE02|"; dsize:>1000; reference:cve,CVE-1999-0745; reference:bugtraq,3237; classtype:attempted-user; sid:1261; rev:3;) Disable Edit Delete
43 alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flags:A+; content:"-soa %p"; reference:cve,CAN-2001-0838; reference:bugtraq,3474; classtype:misc-attack; sid:1323; rev:3;) Disable Edit Delete
44 alert tcp any any -> any 6667 (msg:"EXPLOIT Ettercap IRC parse overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:3;) Disable Edit Delete
45 alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flags:A+; content:"1"; offset:10; depth:1; content:!"000"; offset:11; depth:3; reference:cve,CAN-2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:4;) Disable Edit Delete
46 alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flags:A+; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; classtype:misc-attack; reference:bugtraq,4631; sid:1751; rev:1;) Disable Edit Delete
47 alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM"; Enable Edit Delete
48 alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM"; Enable Edit Delete
49 alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM";
 
Old 12-05-2003, 12:43 PM   #2
moonloader
Member
 
Registered: Nov 2003
Location: linuxquestions.org
Distribution: Linux and BSD
Posts: 229

Rep: Reputation: 30
update your rule files or /etc/snort/snort-lib to config or reinstall
 
Old 12-06-2003, 08:49 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,998
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
And what version of Snort are you running? If it's a 1.8.x or 1.9.x then upgrade to 2.0.3 (IIRC). *If you then get probs with "pcre" you have to patch manually from snort.org/contrib.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with my snort rule set PixelCloud Linux - Security 1 07-17-2004 01:35 PM
W32/Sober-B worm snort rule????? netmon Linux - Security 1 12-19-2003 06:17 AM
snort rule update script netmon Linux - General 1 10-03-2003 06:31 PM
Snort, test rule, ADV - Webpopup unSpawn Linux - Security 0 01-22-2003 07:00 PM
Snort, test rule, XST unSpawn Linux - Security 0 01-22-2003 06:53 PM


All times are GMT -5. The time now is 02:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration