Snort mailing list archives
Disabled rules still triggering
From: Willst Mail <willstmail () gmail com>
Date: Wed, 28 Apr 2010 14:19:38 -0400
I have a Snort sensor running 2.8.5.3 and oinkmaster 2.0 on FreeBSD 6.2. I have some signatures that I disable with oinkmaster, and in the rules files they show as commented out, but alerts are still being generated. Example:
From oinkmaster.conf:
# Nimda RICHED20.DLL (2010-03-09 wss) disablesid 1295
From /usr/local/etc/snort/rules:
# grep "sid:1295;" * netbios.rules:#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L"; nocase; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:11;) This seems to be happening with some (not sure about all) signatures. I've tried both HUP'ing Snort and doing a full stop and start. Suppressing it in threshold.conf DOES seem to prevent alerts: $ grep 1295 /usr/local/etc/snort/threshold.conf suppress gen_id 1, sig_id 1295 $ grep 1295 /var/log/messages Apr 28 14:11:45 mysnortsensor snort[92239]: | gen-id=1 sig-id=1295 tracking=none But I'd rather disable than simply suppress, and the fact that the commented rule is still being loaded is troubling. We've been running 2.8.5.3 on this sensor for a couple months, this issue seems to have started in the past few days, and I don't think I'm seeing it on other sensors. We are using the paid signature subscription. Any ideas or how else to troubleshooting this? Going to 2.8.6 isn't an option just yet. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Disabled rules still triggering Willst Mail (Apr 28)
- Re: Disabled rules still triggering Chan, Wilson (Apr 28)
- Re: Disabled rules still triggering Willst Mail (Apr 28)
- Re: Disabled rules still triggering Joel Esler (Apr 28)
- Re: Disabled rules still triggering Willst Mail (Apr 29)
- Re: Disabled rules still triggering Willst Mail (Apr 28)
- Re: Disabled rules still triggering Chan, Wilson (Apr 28)