Snort mailing list archives

Re: problem tuning out one particular rule

From: JJC <cummingsj () gmail com>
Date: Wed, 30 Mar 2011 10:23:12 -0600

Speaking from the perspective of PulledPork, that rule is re-enabled because
it sets a flowbit that other rules (that are enabled) rely on.  As to the
suppression, are you sure that the source is 10.0.0.0/8 and that it's not
the dest?

JJC

On Wed, Mar 30, 2011 at 9:50 AM, Youngquist, Jason R. <jryoungquist () ccis edu

wrote:

   So I’ve been doing some Snort tuning over the last couple weeks.  I’m
using Snort 2.9.0.4, Barnyard2, and PulledPork 0.5.  There’s this one event
signature “WEB-CLIENT Portable Executable binary file transfer” (sid: 15306)
and I’ve been trying to tune it out, but it still keeps on firing.



I have it in the disablesid.conf

# WEB-CLIENT Portable Executable binary file transfer

1:15306



I also put it in the threshold.conf as well

# ignore these WEB-CLIENT Portable Executable binary file transfer

suppress gen_id 1, sig_id 15306, track by_src, ip 10.0.0.0/8



Yet, the rule keeps firing.  All of the other rules I’ve ignored using the
methods above have worked, so not sure what’s different about this
particular rule.



Thoughts?



Thanks.

Jason Youngquist

Information Technology Security Engineer

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

jryoungquist () ccis edu

http://www.ccis.edu






------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Emerging-Sigs] Smoking Pig Update (PulledPork), (continued)
- - - Message not available
    - Message not available
    - Re: [Emerging-Sigs] Smoking Pig Update (PulledPork) Kevin Ross (Mar 29)
- Re: Smoking Pig Update (PulledPork) JJC (Mar 29)
- Re: Smoking Pig Update (PulledPork) Markus Lude (Mar 29)
  - Re: Smoking Pig Update (PulledPork) JJC (Mar 29)
  - Re: Smoking Pig Update (PulledPork) waldo kitty (Mar 29)
    - Re: Smoking Pig Update (PulledPork) Mike Lococo (Mar 29)
    - Re: Smoking Pig Update (PulledPork) JJC (Mar 29)
    - Re: Smoking Pig Update (PulledPork) Security () brvenik com (Mar 30)
    - Re: Smoking Pig Update (PulledPork) Mike Lococo (Mar 30)
    - problem tuning out one particular rule Youngquist, Jason R. (Mar 30)
    - Re: problem tuning out one particular rule JJC (Mar 30)
    - Re: problem tuning out one particular rule JJC (Mar 30)
    - Re: Smoking Pig Update (PulledPork) Jeff Kell (Mar 29)
    - Re: Smoking Pig Update (PulledPork) waldo kitty (Mar 29)
    - Re: Smoking Pig Update (PulledPork) Joel Esler (Mar 29)