[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Possible bugs and misfeatures
- To: Firestorm <firestorm@xxxxxxxxxx>
- Subject: Possible bugs and misfeatures
- From: John Leach <john@xxxxxxxxxx>
- Date: 19 Jun 2002 10:50:20 +0100
- Delivered-to: mailing list firestorm@ecsc.co.uk
- Mailing-list: contact firestorm-help@ecsc.co.uk; run by ezmlm
Hi Gianni,
I installed Firestorm from the latest binary rpm
firestorm-0.4.4-1.i386.rpm and came up with a few possible bugs and/or
misfeatures (or features, you never know).
I'm running firestorm in a chroot in /usr/lib/firestorm, loading snort
rules from /rules (i.e: /usr/lib/firestorm/rules) and logging to the
directory /logs.
I obtained the latest experimental snort rules list, combined it all
into one big file and loaded it in. Firestorm had a few troubles:
The rule:
alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD
TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown;
sid:1431; rev:4;)
caused:
snort: /rules/bigass.rules:663 : Rule failed to commit: BAD TRAFFIC syn
to multicast address
The rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request
tooltalk"; flow:to_server,established; rpc:100083,*,*;
reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003;
reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075;
reference:url,www.cert.org/advisories/CA-2001-05.html;
classtype:rpc-portmap-decode; sid:1298; rev:7;)
caused:
snort: /rules/bigger.rules:1422 : Rule failed to commit: RPC portmap
request tooltalk
In fact, none of the RPC rules I tried worked. Neither did any of the
shellcode rules.
I also noticed that firestorm.log gets overwritten each time firestorm
is run. I don't think this is intentional.
Also, autocreation of a "firestorm" user with a specific uid+guid and a
small redhat init script would be nice :)
John.
Technical Deflector
ECSC Ltd.
--
When addressed to our clients any opinions or advice contained
are subject to the terms and conditions expressed in
the governing ECSC Conditions of Service.
GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047