|
List Info
Thread: Problems with sid:2003097
|
|
| Problems with sid:2003097 |
|
2006-10-10 13:55:30 |
Good point Frank.
By a show of hands.. how many of you are not able to run a
2.4.x or 2.6
version of snort? Are there reasons you're staying back?
Matt
Frank Knobbe wrote:
> On Tue, 2006-10-10 at 08:49 -0400, Matt Jonkman wrote:
>> You need to upgrade snort versions. Since the
version you have the max
>> line length for a sig has been extended
considerably. Your version is
>> hitting it's max line length and thinking the rule
is not complete...
>>
>> If you can't upgrade at the moment you can disable
that sig. It's an
>> interesting one, but certainly not critical.
>
> This is the second complaint in a week. Perhaps we
should disable it by
> default and have users of newer versions of Snort
enable it.
>
> Thoughts?
> Frank
>
--
--------------------------------------------
Matthew Jonkman, CISSP
765-429-0398 Direct
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Problems with sid:2003097 |
|
2006-10-10 13:56:30 |
Matt Jonkman wrote:
> Good point Frank.
>
> By a show of hands.. how many of you are not able to
run a 2.4.x or 2.6
> version of snort? Are there reasons you're staying
back?
>
> Matt
>
> Frank Knobbe wrote:
>
im using 2.4, but I think users of fwsam are stuck at 2.3,
right?
--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
scheidellsecnap.net / 1+561-999-5000, x 1131
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Problems with sid:2003097 |
|
2006-10-10 13:58:22 |
On Tue, 2006-10-10 at 09:56 -0400, Michael Scheidell wrote:
> im using 2.4, but I think users of fwsam are stuck at
2.3, right?
Lol...uhm... no 
Snortsam runs on anything up to and including 2.6. Haven't
tested 3.0
yet since I don't have access to it. ;)
(2.4 patches cleanly, 2.6 needs one minor edit by hand after
patching).
-Frank
--
It is said that the Internet is a public utility. As such,
it is best
compared to a sewer. A big, fat pipe with a bunch of crap
sloshing
against your ports.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Problems with sid:2003097 |
|
2006-10-10 14:02:26 |
|
Frank Knobbe wrote:
localhost" type="cite">
On Tue, 2006-10-10 at 09:56 -0400, Michael Scheidell wrote:
im using 2.4, but I think users of fwsam are stuck at 2.3, right?
Lol...uhm... no
Snortsam runs on anything up to and including 2.6. Haven't tested 3.0
yet since I don't have access to it. ;)
(2.4 patches cleanly, 2.6 needs one minor edit by hand after patching).
-Frank
than I can't see any reason to stay under the 2.4 branch, considering
options, security patches, optimizations,
some OEM's might be stuck, but than again, they aren't on the bleeding
edge are they?
If there were called 'old-stagnant-sigs' and not 'bleeding-sigs'..
 but I do remember the SSH_PORTS debacle.
Rule #1: thou shalt not kill (unless you have to).
Upgrades should be made as backward compatible as possible. New options
should be off by default if they change existing behavior. users
should be made to READ THE README, and enable rules only after making
sure they won't break their install.
--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
secnap.net">scheidellsecnap.net / 1+561-999-5000, x 1131
|
| Problems with sid:2003097 |
|
2006-10-10 14:09:00 |
On Tue, 2006-10-10 at 10:02 -0400, Michael Scheidell wrote:
> some OEM's might be stuck, but than again, they aren't
on the bleeding
> edge are they?
Yeah, you bring up a good point. It's Bleeding Edge
afterall. Not
cozy-comfy-no-problem-upgrade-edge.
> Rule #1: thou shalt not kill (unless you have to).
I thought it was "Thou shalt not kill -9." ;)
> Upgrades should be made as backward compatible as
possible. New
> options should be off by default if they change
existing behavior.
> users should be made to READ THE README, and enable
rules only after
> making sure they won't break their install.
Yeah, but... it's just a rule. And actually, a bad rule on
top of that.
Are *all* these contents needed? Couldn't there be one large
(but not
too large!) one? At least, it could be trimmed down far
enough where the
old Snorts don't barf and the rule still not FP's.
-Frank
--
It is said that the Internet is a public utility. As such,
it is best
compared to a sewer. A big, fat pipe with a bunch of crap
sloshing
against your ports.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Problems with sid:2003097 |
|
2006-10-10 14:14:21 |
It's a decent sig, and I don't think the contents can be
combined.
Lets let a few others chime in as to the version they run,
but I think
we'll end up staying with this sig on and active. If you're
not to a
recent snort, there are a lot of reasons you should.
Matt
On 10/10/06, Frank Knobbe <frankknobbe.us> wrote:
> On Tue, 2006-10-10 at 10:02 -0400, Michael Scheidell
wrote:
> > some OEM's might be stuck, but than again, they
aren't on the bleeding
> > edge are they?
>
> Yeah, you bring up a good point. It's Bleeding Edge
afterall. Not
> cozy-comfy-no-problem-upgrade-edge.
>
> > Rule #1: thou shalt not kill (unless you have to).
>
> I thought it was "Thou shalt not kill -9." ;)
>
> > Upgrades should be made as backward compatible as
possible. New
> > options should be off by default if they change
existing behavior.
> > users should be made to READ THE README, and
enable rules only after
> > making sure they won't break their install.
>
> Yeah, but... it's just a rule. And actually, a bad rule
on top of that.
> Are *all* these contents needed? Couldn't there be one
large (but not
> too large!) one? At least, it could be trimmed down far
enough where the
> old Snorts don't barf and the rule still not FP's.
>
> -Frank
>
>
> --
> It is said that the Internet is a public utility. As
such, it is best
> compared to a sewer. A big, fat pipe with a bunch of
crap sloshing
> against your ports.
>
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
>
>
>
>
--
Matt Jonkman
Bleeding Snort
http://www.bleedingsnort
.com
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Problems with sid:2003097 |
|
2006-10-10 14:14:26 |
Frank Knobbe wrote:
> Yeah, but... it's just a rule. And actually, a bad rule
on top of that.
>
Rule #1 on our anti-spam product.. new feature gets added,
if it changes
behavior, turn it off, notify clients and tell them how to
turn it on.
(and its hard since spammers are changing things daily.
sales people
send very BAD emails (big embedded images in sigs)
legitimate[sic]
marketing companies use spammer 'tricks' to track readers.
If we
enforced all the RFC's, clients would not get all their
email (hey, even
bleeding snort mail has been known to break the RFC's every
once and a
while)
Since we aren't dealing with 'consumers', Rule #1 isn't all
that
important, but.. why not turn the rule off by default, and
let users
turn it on? hey, everyone reads the oinkmaster reports,
right?
> Are *all* these contents needed? Couldn't there be one
large (but not
> too large!) one? At least, it could be trimmed down far
enough where the
> old Snorts don't barf and the rule still not FP's.
>
>
Two rules?
> -Frank
>
>
>
--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
scheidellsecnap.net / 1+561-999-5000, x 1131
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Problems with sid:2003097 |
|
2006-10-10 14:19:48 |
On Tue, 2006-10-10 at 10:14 -0400, Matt Jonkman wrote:
> It's a decent sig, and I don't think the contents can
be combined.
No, it's not. The contents are not linked with
distance/within. You have
18 unlinked content matches. Can you imagine the amount of
recursion on
that one? Snort has to search the packet over and over
again, 18 times,
for each hit.
I don't even dare enable rules like that, but I got
different standards
I guess.
Anyway, you all can do with that rule what you want. I don't
run so I
don't care. But it remains a bad sig.
Cheers,
Frank
--
It is said that the Internet is a public utility. As such,
it is best
compared to a sewer. A big, fat pipe with a bunch of crap
sloshing
against your ports.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Problems with sid:2003097 |
|
2006-10-10 14:24:17 |
|
Matt,
We are still running 2.3.3 on all of our sensors here because of the difficulty involved in upgrading a lot of sensors in different geographical regions. Also we have a lot of custom automation around snort that we would have to test to make sure it doesn't break with a new version. What are some of the reasons we should look into upgrading? Does SourceFire keep a list somewhere of reasons to update from earlier versions? I would be more than willing to make the switch if there are couple of good reasons..
-Ken
On 10/10/06, Matt Jonkman < jonkmangmail.com">jonkmangmail.com> wrote:
It's a decent sig, and I don't think the contents can be combined.
Lets let a few others chime in as to the version they run, but I think
we'll end up staying with this sig on and active. If you're not to a
recent snort, there are a lot of reasons you should.
Matt
On 10/10/06, Frank Knobbe < frankknobbe.us">frankknobbe.us> wrote:
>; On Tue, 2006-10-10 at 10:02 -0400, Michael Scheidell wrote:
>; > some OEM's might be stuck, but than again, they aren't on the bleeding
> > edge are they?
>
> Yeah, you bring up a good point. It's Bleeding Edge afterall. Not
> cozy-comfy-no-problem-upgrade-edge.
>
> > Rule #1: thou shalt not kill (unless you have to).
>
> I thought it was "Thou shalt not kill -9." ;)
>
> > Upgrades should be made as backward compatible as possible. New
> > options should be off by default if they change existing behavior.
> > users should be made to READ THE README, and enable rules only after
> > making sure they won't break their install.
>
> Yeah, but... it's just a rule. And actually, a bad rule on top of that.
>; Are *all* these contents needed? Couldn't there be one large (but not
> too large!) one? At least, it could be trimmed down far enough where the
> old Snorts don't barf and the rule still not FP's.
>;
> -Frank
>;
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>
>;
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com">Bleeding-sigsbleedingsnort.com
>
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
>
>
>
>
--
Matt Jonkman
Bleeding Snort
http://www.bleedingsnort.com
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com">Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
|
| Problems with sid:2003097 |
|
2006-10-10 14:23:36 |
I meant it was a valuable and accurate sig, wasn't
commenting on it's
efficiency.
It's not that bad a thing though. No significant load
increases across
our systems with it.
Matt
Frank Knobbe wrote:
> On Tue, 2006-10-10 at 10:14 -0400, Matt Jonkman wrote:
>> It's a decent sig, and I don't think the contents
can be combined.
>
> No, it's not. The contents are not linked with
distance/within. You have
> 18 unlinked content matches. Can you imagine the amount
of recursion on
> that one? Snort has to search the packet over and over
again, 18 times,
> for each hit.
>
> I don't even dare enable rules like that, but I got
different standards
> I guess.
>
> Anyway, you all can do with that rule what you want. I
don't run so I
> don't care. But it remains a bad sig.
>
> Cheers,
> Frank
>
>
>
>
------------------------------------------------------------
------------
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
--
--------------------------------------------
Matthew Jonkman, CISSP
765-429-0398 Direct
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
|
|