Signature links broken - [arachNIDS] [local]

BASE-user
Chris Ryan
2008-04-24
2013-06-03
  • Chris Ryan
    Chris Ryan
    2008-04-24

    I've setup a BASE 1.3.9.

    While checking the warnings, i noted some broken links in the "signatures" section.

    The URLs are set in base_conf.php:
    <code>
       /* Signature references */
        $external_sig_link = array('bugtraq'   => array('http://www.securityfocus.com/bid/', ''),
                                   'snort'     => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''),
                                   'cve'       => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''),
                                   'arachnids' => array('http://www.whitehats.com/info/ids', ''),
                                   'mcafee'    => array('http://vil.nai.com/vil/content/v_', '.htm'),
                                   'icat'      => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''),
                                   'nessus'    => array('http://www.nessus.org/plugins/index.php?view=single&amp;id=', ''),
                                   'url'       => array('http://', ''),
                                   'local' => array('signatures/', '.txt'));
    </code>

    www.whitehats.com isn't registered anymore, and i have no local text signatures in my base directory.

    Where can i get these local signature files, or, how can i disable the generation of the link?
    Just deleting the entries out of the list creates plain text insertion of e.g. "local".
    I there a simple way or do i have to edit the generation php-file?

    Thanks in advance, Chris.

     
    • Hello Chris,

      the "local" link requires a subdirectory "signatures", filled with the files like "3398.txt", which contain the description of an alert in text form.

      These docs used to be included in the rules-tar-balls under "doc".  For example, as in the community-rules.

      In the last years, however, sourcefire has silently neglected this doc subdirectory.

      I will have a look at this in the BASE code, eventually.  And for the time being, simply ignore it.

      Bye, bye,

      Juergen

       
    • WuTang
      WuTang
      2008-04-26

      As the person responsible for all those text files in the docs directory of each and every tarball I can tell you that every single rule in the official snort rule set has an associated document, and that goes for the shared object rules and most of the preprocessors too.

      Next time, get your facts straight before suggesting that Sourcefire has "silently neglected" something.

       
      • The facts for registered users are:

        The last doc seen in any snortrules-snapshot-CURRENT.tar.gz or snortrules-snapshot-2.8.tar.gz was 3827.txt,

        whereas

        - in sid-msg.map the highest sid of this type of rules is 12362 and
        - in the rules themselves it is 13632.

        For unregistered users there are no rules sets for snort versions 2.6 and 2.8, at all.  snortrules-pr-2.4.tar.gz and Community-Rules-2.4.tar.gz
        were the last ones.  Only the docs in the Community-Rules are complete,
        although the rule set sid:100000100 - 100000934 itself hasn't been updated
        for 1 year.

         
        • WuTang
          WuTang
          2008-05-12

          Incorrect.

          Last doc in the registered downloads for regular rules was 13632.txt

          Look in docs/signatures. "ls | wc -l" should give you 13351. If not, you are doing it wrong.

           
    • Chris Ryan
      Chris Ryan
      2008-04-29

      Juergen, thanks for your reply - i was able to solve my "problem" with it.

      SOLUTION

      I've installed snort using the debian package system. The current version of "snort-rules-default" (2.7.0-13) does not contain any of the signatures files nor the docs subdirectory.

      So, to get these signatures to your local machine, go to http://www.snort.org/pub-bin/downloads.cgi and download the latest community AND official ruleset you can get. The signature-textfiles are in the tarballs, as Juergen mentioned above.

      Easy as that ;)