[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Bad range in Snort rules
From: Alex McDonnell <amcdonnell () sourcefire ! com>
Date: 2014-01-13 17:54:50
Message-ID: CAK6Z=_WyawTP7WH=t7RJfSLcTgGFS239s6wu4+q6NVAc4eMoCQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey Lukas,
Further research indicated that those rules were not necessary to cover the
vuln.
thanks
Alex McDonnell
VRT
On Mon, Jan 13, 2014 at 9:32 AM, Lukas Matt <lukas.matt@sophos.com> wrote:
> Hi Alex, why do you removed them? I mean it is only a little change
> necessary to make them work correctly.
>
> Regards,
> Lukas
>
>
>
> On 01/13/2014 03:24 PM, Alex McDonnell wrote:
>
> Hi Lukas.
>
> The rules in question were deleted the 13th of december and went out in
> SEU: 1018 Date: 2013-12-17
>
> thanks
> Alex McDonnell
> VRT
>
>
> On Mon, Jan 13, 2014 at 8:52 AM, Lukas Matt <lukas.matt@sophos.com> wrote:
>
> > Hi all, was there some progress regarding the bad range while Christmas?
> >
> > Cheers,
> > Lukas
> >
> >
> > On 12/16/2013 06:00 PM, Joel Esler (jesler) wrote:
> >
> > Lukas, yes, this will be fixed in an upcoming release.
> >
> > --
> > *Joel Esler*
> > Intelligence Lead
> > OpenSource Manager
> > Vulnerability Research Team
> > Jabber: jesler@cisco.com
> >
> > On Dec 16, 2013, at 5:12 AM, Lukas Matt <lukas.matt@sophos.com> wrote:
> >
> > Hey guys,
> >
> > I ran into following error message "Bad range: 4294967296"
> > That affect rule 28519 and 28514. The problem here is following part:
> >
> > byte_test:4,>,4294967296,18,relative,little;
> >
> > Under 32bit the maximum Int is 2^32-1 but in the rule you forgot to
> > subtract 1.
> > I checked also the documentation and the maximum for your byte_test is
> > 4294967295.
> >
> > Could you double check that?
> >
> > Cheers,
> > Lukas
> >
> >
> > --
> > Lukas Matt
> > Deep Packet Inspection Researcher, RnD
> >
> > tel: +49-721-25516-322, cell: +49-174-3440-555
> >
> > Sophos Technology GmbH
> > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> >
> > SOPHOS Security made simple
> >
> > ---
> > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > Executive Board: Nicholas Bray, Pino von Kienlin, Richard Walford, Joachim Frost, \
> > Günter Junk
> > ------------------------------------------------------------------------------
> > Rapidly troubleshoot problems before they affect your business. Most IT
> > organizations don't have a clear picture of how application performance
> > affects their revenue. With AppDynamics, you get 100% visibility into
> > your
> > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> > Pro!
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > --
> > Lukas Matt
> > Deep Packet Inspection Researcher, RnD
> >
> > tel: +49-721-25516-322, cell: +49-174-3440-555
> >
> >
> > Sophos Technology GmbH
> > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> >
> > SOPHOS Security made simple
> >
> > ---
> > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
> >
> >
> >
> > ------------------------------------------------------------------------------
> > CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> > Learn Why More Businesses Are Choosing CenturyLink Cloud For
> > Critical Workloads, Development Environments & Everything In Between.
> > Get a Quote or Start a Free Trial Today.
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
>
>
>
> --
> Lukas Matt
> Deep Packet Inspection Researcher, RnD
>
> tel: +49-721-25516-322, cell: +49-174-3440-555
>
> Sophos Technology GmbH
> Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
>
> SOPHOS Security made simple
>
> ---
> Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Hey Lukas,<div><br></div><div><span \
style="font-family:arial,sans-serif;font-size:13px">Further research indicated that \
those rules were not necessary to cover the vuln.</span><br></div><div><span \
style="font-family:arial,sans-serif;font-size:13px"><br> </span></div><div><span \
style="font-family:arial,sans-serif;font-size:13px">thanks</span></div><div><span \
style="font-family:arial,sans-serif;font-size:13px">Alex \
McDonnell</span></div><div><span \
style="font-family:arial,sans-serif;font-size:13px">VRT</span></div> <div><span \
style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 13, 2014 at 9:32 AM, \
Lukas Matt <span dir="ltr"><<a href="mailto:lukas.matt@sophos.com" \
target="_blank">lukas.matt@sophos.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Alex, why do you removed them? I
mean it is only a little change necessary to make them work
correctly.<br>
<br>
Regards,<br>
Lukas<div><div class="h5"><br>
<br>
<br>
On 01/13/2014 03:24 PM, Alex McDonnell wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>Hi Lukas.</div>
<div><br>
</div>
The rules in question were deleted the 13th of december and went
out in SEU: 1018 Date: 2013-12-17
<div><br>
</div>
<div>thanks</div>
<div>Alex McDonnell</div>
<div>VRT</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Jan 13, 2014 at 8:52 AM, Lukas
Matt <span dir="ltr"><<a href="mailto:lukas.matt@sophos.com" \
target="_blank">lukas.matt@sophos.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF">
<div>Hi all, was there some progress regarding the bad
range while Christmas?<br>
<br>
Cheers,<br>
Lukas
<div>
<div><br>
<br>
On 12/16/2013 06:00 PM, Joel Esler (jesler) wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite"> Lukas, yes, this will be
fixed in an upcoming release.
<div><br>
</div>
<div><span style="font-family:'Lucida \
Grande'">--</span><br>
<span style="font-family:'Lucida Grande'"><b>Joel
Esler</b></span><br>
<span style="font-family:'Lucida Grande'">Intelligence
Lead</span><br>
<span style="font-family:'Lucida Grande'">OpenSource
Manager</span><br>
<span style="font-family:'Lucida Grande'">Vulnerability
Research Team</span><br>
<span style="font-family:'Lucida Grande'">Jabber:
<a href="mailto:jesler@cisco.com" target="_blank">
jesler@cisco.com</a></span></div>
<div><font face="Lucida Grande"><br>
</font>
<div>
<div>On Dec 16, 2013, at 5:12 AM, Lukas Matt
<<a href="mailto:lukas.matt@sophos.com" \
target="_blank">lukas.matt@sophos.com</a>>
wrote:</div>
<br>
<blockquote type="cite">
<div text="#000000" bgcolor="#FFFFFF">Hey
guys,<br>
<br>
I ran into following error message "Bad
range: 4294967296"<br>
That affect rule 28519 and 28514. The
problem here is following part:<br>
\
<blockquote>byte_test:4,>,4294967296,18,relative,little;</blockquote> Under 32bit \
the maximum Int is 2^32-1 but in the rule you forgot to subtract 1.<br>
I checked also the documentation and the
maximum for your byte_test is 4294967295.<br>
<br>
Could you double check that?<br>
<br>
Cheers,<br>
Lukas<br>
<br>
<br>
<pre cols="72">--
Lukas Matt
Deep Packet Inspection Researcher, RnD
tel: <a href="tel:%2B49-721-25516-322" value="+4972125516322" \
target="_blank">+49-721-25516-322</a>, cell: <a href="tel:%2B49-174-3440-555" \
value="+491743440555" target="_blank">+49-174-3440-555</a>
Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
SOPHOS Security made simple
---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Richard Walford, Joachim Frost, \
Günter Junk</pre> </div>
------------------------------------------------------------------------------<br>
Rapidly troubleshoot problems before they
affect your business. Most IT <br>
organizations don't have a clear picture of
how application performance <br>
affects their revenue. With AppDynamics, you
get 100% visibility into your <br>
Java,.NET, & PHP application. Start your
15-day FREE TRIAL of AppDynamics Pro!<br>
<a \
href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________" \
target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________</a><br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net" \
target="_blank">Snort-sigs@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" \
target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about \
Snort!</blockquote> </div>
<br>
</div>
</blockquote>
<br>
<br>
</div>
</div>
<pre cols="72"><div><div>--
Lukas Matt
Deep Packet Inspection Researcher, RnD
tel: <a href="tel:%2B49-721-25516-322" value="+4972125516322" \
target="_blank">+49-721-25516-322</a>, cell: <a href="tel:%2B49-174-3440-555" \
value="+491743440555" target="_blank">+49-174-3440-555</a></div></div>
Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
SOPHOS Security made simple
---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk</pre>
</div>
<br>
------------------------------------------------------------------------------<br>
CenturyLink Cloud: The Leader in Enterprise Cloud Services.<br>
Learn Why More Businesses Are Choosing CenturyLink Cloud For<br>
Critical Workloads, Development Environments &
Everything In Between.<br>
Get a Quote or Start a Free Trial Today.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk" \
target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net" \
target="_blank">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" \
target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Lukas Matt
Deep Packet Inspection Researcher, RnD
tel: <a href="tel:%2B49-721-25516-322" value="+4972125516322" \
target="_blank">+49-721-25516-322</a>, cell: <a href="tel:%2B49-174-3440-555" \
value="+491743440555" target="_blank">+49-174-3440-555</a>
Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
SOPHOS Security made simple
---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk</pre>
</div></div></div>
</blockquote></div><br></div>
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic