search

Quantalytics / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

sid-msg.map not being built properly with emerging threats rules #29

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Not sure if anyone reported this to you or not, but I seem to have a problem 
with PulledPork v0.4.2 when it builds the sid-msg.map file from the emerging 
threats rules.  Some of the rules/sid pairs are not matching what they should 
be, somehow using some of the text of the previous rule.

I've attached my sid-msg.map for you to take a look at.  sid:2008489 is an 
example, and it seems to happen with the Suspicious User Agents rules often.  
I've never seen it happen with any VRT rules.

The line from the sid-msg.map:

2008489 || ET TROJAN Win32/Antivirus2008 || 
url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Susp
icious || url,doc.emergingthreats.net/bin/view/Main/2008489

Grepping my rules files for "sid:2008489" shows me:

emerging.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; 
content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity; 
reference:url,doc.emergingthreats.net/bin/view/Main/2008489; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_A
GENTS_Suspicious; sid:2008489; rev:4;)

Original issue reported on code.google.com by shawn.je...@gmail.com on 27 Sep 2010 at 3:49

GoogleCodeExporter commented 9 years ago 
any rule with parentheses in the msg field breaks the sid-msg.map .  I can 
confirm that this bug persists with the latest svn version as well.

Original comment by whoownsy...@gmail.com on 4 Oct 2010 at 2:34

GoogleCodeExporter commented 9 years ago 
Excellent, thanks for the report folks, I'll be publishing a fix to svn this 
week!

Original comment by Cummin...@gmail.com on 4 Oct 2010 at 2:48

GoogleCodeExporter commented 9 years ago 
Ok, just fixed this one and committed to R:153

new sid-msg.map output for example: 
2008489 || ET USER_AGENTS Suspicious User-Agent (dwplayer) || 
url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Susp
icious || url,doc.emergingthreats.net/bin/view/Main/2008489

Original comment by Cummin...@gmail.com on 8 Oct 2010 at 11:03