[Oisf-users] this rule appears to make suri crash

Tue Aug 20 06:25:41 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suricata is sensitive to the version of libmagic on your system. You
should put some windows executables on the same box and run 'file' on
them to see what the output is.  For example, from my system:

> exe_01eac241a593594e9da4d28a257a472f: PE32 executable (GUI) Intel 80386, for MS Windows
> exe_802682730d2ed52a074fd1798ed9c7aa: PE32 executable (GUI) Intel 80386, for MS Windows

So this is the rule I'm using (which is working)

> alert http any any -> any any (msg:"FILEMAGIC -- Windows executable"; flow:established,to_client; filemagic:"PE32 executable"; filestore; sid:1; rev:1;)

- -Coop

On 8/19/2013 7:46 PM, Russell Fulton wrote:
> Ah! after a lot more trial and error I think I hit on the wrong rule.
> 
> I now believe that that it is the rule associated with file capture which makes a whole lot more sense from several perspectives.
> 
> alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable for MS Windows"; filestore; sid:18; rev:1;)
> 
> I even have have an idea about what the cause might be:  I also have file-log set which appears to work fine except that the "magic" is always "unknown".  If there is something screwy on my system with magic lookups then maybe that is involved it this crash.
> 
> Peter: you have a copy of my config, is there anything else you need?
> 
> R
> 
> On 19/08/2013, at 4:30 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> 
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"CUSTOM MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; offset:0; depth:3; content:"|e0 00 00 \
>> 00 00 00|"; offset:5; depth:6; content:"Cookie|3a|mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540;classtype:protocol-command-decode; )
>>
>> When I include this rule I get a general protection fault.
>>
>> Russell
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSEwvlAAoJEKIFRYQsa8FWIfAIAM6A3J9L7mIiYQ8TT0M5Bzbm
4xHPTAvneGwJdExs+71OzylzUy1jzwtO3x7WxlDUYnl5vudCSVTvUZB92gWmyH6c
HLaeVMiBWSKk0zcVV1ZGR2MKp9hfzkei1SBmwzlRCv2a7LuPCOkkH3lex2AG+ImX
Dn8aTGmurdMNSIZAZjCEoM4NIlMacuVWWXKB+wI1UdUh8wNX4VWJy8pD9u+j2t5S
EwoLxmWJMNgrc26wMVAxnlCEIYhgfntvgMDeW2lNTn9TnEl0E63GeO4lbOkJja8A
wbKUE2ViX/fCttM1QD4YQcVojj5G9UNtUTf9OJ9Abkoz23p8VwPNN8DS8qMtv60=
=LpW1
-----END PGP SIGNATURE-----