On Wed, 2002-06-19 at 10:50, John Leach wrote: > Hi Gianni, > > I installed Firestorm from the latest binary rpm > firestorm-0.4.4-1.i386.rpm and came up with a few possible bugs and/or > misfeatures (or features, you never know). > > I'm running firestorm in a chroot in /usr/lib/firestorm, loading snort > rules from /rules (i.e: /usr/lib/firestorm/rules) and logging to the > directory /logs. > > I obtained the latest experimental snort rules list, combined it all > into one big file and loaded it in. Firestorm had a few troubles: FYI: You can include more than one signatures file from firestorm.conf ;) > The rule: > alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD > TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown; > sid:1431; rev:4;) > caused: > snort: /rules/bigass.rules:663 : Rule failed to commit: BAD TRAFFIC syn > to multicast address Ah, this is due to the fact that ip lists aren't supported. The latest code from CVS should fix that. > The rule: > alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request > tooltalk"; flow:to_server,established; rpc:100083,*,*; > reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; > reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; > reference:url,www.cert.org/advisories/CA-2001-05.html; > classtype:rpc-portmap-decode; sid:1298; rev:7;) > > caused: > snort: /rules/bigger.rules:1422 : Rule failed to commit: RPC portmap > request tooltalk > > In fact, none of the RPC rules I tried worked. Neither did any of the > shellcode rules. The RPC rules will have failed because the RPC matcher isn't supported yet at all, just don't include rpc.rules. The shellcode rules, that is a bug, I belive the problem is that you don't have the $SHELLOCDE_PORTS variable set. The error should be more descriptive. Again, fixed in CVS. > I also noticed that firestorm.log gets overwritten each time firestorm > is run. I don't think this is intentional. It is intentional, it is now documented in the manpage. The firestorm.log doesn't have timestamps so multiple runs logging to the same file would be a bit confusing anyway. The only purpose for firestorm.log is for debugging etc... If your firestorm run goes successfully then you shouldn't really need the log for anything... > Also, autocreation of a "firestorm" user with a specific uid+guid and a > small redhat init script would be nice :) Yeah the RPM setup could be a little more automated, sure. -- // Gianni Tedesco (gianni at ecsc dot co dot uk) 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Attachment:
signature.asc
Description: This is a digitally signed message part