Possible bugs and misfeatures

[John Leach <john@xxxxxxxxxx>]

Hi Gianni,

I installed Firestorm from the latest binary rpm
firestorm-0.4.4-1.i386.rpm  and came up with a few possible bugs and/or
misfeatures (or features, you never know).

I'm running firestorm in a chroot in /usr/lib/firestorm, loading snort
rules from /rules  (i.e: /usr/lib/firestorm/rules) and logging to the
directory /logs.

I obtained the latest experimental snort rules list, combined it all
into one big file and loaded it in.  Firestorm had a few troubles:

The rule:
alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD
TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown;
sid:1431; rev:4;)

caused:
snort: /rules/bigass.rules:663 : Rule failed to commit: BAD TRAFFIC syn
to multicast address

The rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request
tooltalk"; flow:to_server,established; rpc:100083,*,*;
reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003;
reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075;
reference:url,www.cert.org/advisories/CA-2001-05.html;
classtype:rpc-portmap-decode; sid:1298;  rev:7;)

caused:
snort: /rules/bigger.rules:1422 : Rule failed to commit: RPC portmap
request tooltalk

In fact, none of the RPC rules I tried worked.  Neither did any of the
shellcode rules.


I also noticed that firestorm.log gets overwritten each time firestorm
is run.  I don't think this is intentional.

Also, autocreation of a "firestorm" user with a specific uid+guid and a
small redhat init script would be nice :)

John.
Technical Deflector
ECSC Ltd.


-- 
When addressed to our clients any opinions or advice contained 
are subject to the terms and conditions expressed in 
the governing ECSC Conditions of Service.
GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047