Snort mailing list archives
Re: !!Rolling back Snort rule files!!
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Fri, 29 Oct 2010 13:26:39 -0500
Hello. I think we have all been there on the bad ruleset nightmare. My advise -- use this as a learning experience. I use oinkmaster but I don't have it configured to download the rule from the Internets but to get them from the local file system. I have a separate script on a management server that pulls down the rules, makes necessary changes, and pushes them out to the sensors. That script has logic in it so that before the new VRT rules are copied, the current rules are backed up on each sensor. If there is a problem with the new rules, I have a different script that I can run that automatically tells the sensors to revert to the previous rules. Believe me, it has saved my ass more than once when dealing with the unpredictable VRT ruleset. Hope this helps! -L0rd C. On Fri, Oct 29, 2010 at 1:16 PM, Weir, Jason <jason.weir () nhrs org> wrote:
I don't see it as an option in Oinkmaster - so here's a question for the Pulled Pork users - is there a "backup rules before updating" option? Maybe tar & gz the last 5 rules updates would be a good option, just in case you get a really screwed up ruleset.. -J -----Original Message----- From: JJ Cummings [mailto:cummingsj () gmail com] Sent: Friday, October 29, 2010 2:07 PM To: Miso Patel Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] !!Rolling back Snort rule files!! The other option that might work, grab all of the rules that are new / changed in this update and disable by sid using PP or oinkmaster, that should be maybe a 5 minute exercise. Sent from the iRoad On Oct 29, 2010, at 11:50, Miso Patel <miso.patel () gmail com> wrote: It looks like many of the MS Kodak imaging malformed tiff rules were from TIFF downloads from Akamai and Deltacom ... looks like a lot of MSNBC news sites. I am running Snort with gzip decoding eneabled. Anyone else seeing this? Thanks, I'm going to check our backups now. Miso Patel, CISO On Fri, Oct 29, 2010 at 12:35 PM, Joel Esler <jesler () sourcefire com> wrote:There is not an option to use a "previous ruleset", you would have to backup your previous ruleset before you update it, since they are in the flat files. What SIDs are giving you the problems? Do you have pcaps for the traffic? After I received your emails I checked my alerts and I don't have either one of these (I'm not a good test case) alerting on my networks. Any more information you can provide? J On Oct 29, 2010, at 1:24 PM, Miso Patel wrote:Today we installed the newest VRT community rules on our Snort sensors. Almost immediately we started seeing increased alert volume and further investigation shows that these are all false positives. We see *tons* of events for the Microsoft Kodak imaging malformed tiff rules along with other alerts like Mozilla firefox image dragging exploit and more. Right now the SIEM is swamped and I've made the decision to go back to the old rules ... is there an easy way to do this? I don't see them online and my engineers tell me that there is not an option in Snort to instruct it to use the previous ruleset (e.g. snort --use-prev). Any help is much appreciated. Thank you. Miso Patel, CISO_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- !!Rolling back Snort rule files!! Miso Patel (Oct 29)
- Re: !!Rolling back Snort rule files!! Joel Esler (Oct 29)
- Re: !!Rolling back Snort rule files!! Miso Patel (Oct 29)
- Re: !!Rolling back Snort rule files!! JJ Cummings (Oct 29)
- Re: !!Rolling back Snort rule files!! Weir, Jason (Oct 29)
- Re: !!Rolling back Snort rule files!! L0rd Ch0de1m0rt (Oct 29)
- Re: !!Rolling back Snort rule files!! Joel Esler (Oct 29)
- Re: !!Rolling back Snort rule files!! Weir, Jason (Oct 29)
- Re: !!Rolling back Snort rule files!! JJ Cummings (Oct 29)
- Re: !!Rolling back Snort rule files!! L0rd Ch0de1m0rt (Oct 29)
- Re: !!Rolling back Snort rule files!! Miso Patel (Oct 29)
- Re: !!Rolling back Snort rule files!! waldo kitty (Oct 29)
- Re: !!Rolling back Snort rule files!! Joel Esler (Oct 29)