Snort mailing list archives
Re: Local.Rules rule misfiring
From: Clint Conner <conner () plummerslade com>
Date: Fri, 29 Apr 2016 16:04:54 +0000
Greetings Anthony, Thank you, I created a suppression rule and this resolved my issue! Thank you, -Clint ************************* Clint J. Conner Managed Services Manager Plummer Slade, Inc. "Computer Networking & IT Solutions" Tel: 412.261.5600 x215<tel:412.261.5600;215> conner () plummerslade com<mailto:conner () plummerslade com> "Exclusively endorsed for IT solutions by the Allegheny County Bar Association (ACBA)." From: Rodgers, Anthony (DTMB) [mailto:RodgersA1 () michigan gov] Sent: Friday, April 29, 2016 8:21 AM To: Clint Conner <conner () plummerslade com>; snort-sigs () lists sourceforge net Subject: RE: Local.Rules rule misfiring As I read your rule, it will match on $EXTERNAL_NET - IP address matching is not first-match, AFAIK. If you want to exclude (a) specific address(es) from causing a rule to fire, you should look at event suppression or detection_filter, not negation. -- Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber Security From: Clint Conner [mailto:conner () plummerslade com] Sent: Tuesday, April 26, 2016 10:06 To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: [Snort-sigs] Local.Rules rule misfiring Greetings, I have the following rule added to my local.rules file. The rule it replaces is disabled in disabledsids.conf. The rule is firing incorrectly, though. It alerts on the first IP address, which is 188.172.212.76. If I understand he rule correctly, it should not be alerting on this IP address. alert tcp $HOME_NET any -> [!188.172.212.76,!208.87.232.0/21,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))";flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:Trojan-activity; sid:900000010;rev:1;) There are more IP address ranges that are ! out, but I have omitted them. I copied the rule directly from the pulledpork file and just added the first IP address to it. I still have alerts pouring in when anything goes to that first IP address. Thank you, -Clint ************************* Clint J. Conner Managed Services Manager Plummer Slade, Inc. "Computer Networking & IT Solutions" 428 Forbes Avenue, Suite 2450<x-apple-data-detectors://3/0> Pittsburgh, PA 15219<x-apple-data-detectors://3/0> Tel: 412.261.5600 x215<tel:412.261.5600;215> Fax: 412.261.1528<tel:412.261.1528> conner () plummerslade com<mailto:conner () plummerslade com> www.plummerslade.com<http://www.plummerslade.com/> "Exclusively endorsed for IT solutions by the Allegheny County Bar Association (ACBA)."
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Local.Rules rule misfiring Clint Conner (Apr 26)
- Re: Local.Rules rule misfiring James Lay (Apr 26)
- Re: Local.Rules rule misfiring Rodgers, Anthony (DTMB) (Apr 29)
- Re: Local.Rules rule misfiring Clint Conner (Apr 29)