[Oisf-users] this rule appears to make suri crash

Russell Fulton r.fulton at auckland.ac.nz
Tue Aug 20 02:46:29 UTC 2013


Ah! after a lot more trial and error I think I hit on the wrong rule.

I now believe that that it is the rule associated with file capture which makes a whole lot more sense from several perspectives.

alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable for MS Windows"; filestore; sid:18; rev:1;)

I even have have an idea about what the cause might be:  I also have file-log set which appears to work fine except that the "magic" is always "unknown".  If there is something screwy on my system with magic lookups then maybe that is involved it this crash.

Peter: you have a copy of my config, is there anything else you need?

R

On 19/08/2013, at 4:30 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"CUSTOM MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; offset:0; depth:3; content:"|e0 00 00 \
> 00 00 00|"; offset:5; depth:6; content:"Cookie|3a|mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540;classtype:protocol-command-decode; )
> 
> When I include this rule I get a general protection fault.
> 
> Russell
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/




More information about the Oisf-users mailing list