Snort mailing list archives
Fwd: Disablesid.conf does not disable all rules
From: Forensix Land <forensixland () gmail com>
Date: Mon, 24 Apr 2017 00:11:13 -0400
Hi, Seems the disabledsid.conf file does not disable all the rules. All enablesid.conf, dropsid.conf and modifysid.conf files are blank. Below is the pcre in disabledsid.conf: pcre:connectivity-ips\s*drop But I still saw rules are enabled. Below are some examples. ###grep "connectivity-ips" rules/snort.vrt.rules |grep -v "^#" alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/ckwm.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27704; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/wmck.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27705; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:35; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\/\d+\.\d+\.\d+\.\d+\//"; flowbits:set,file.exploit_kit.flash; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0634; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31276; rev:2;) Please advice. FL
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Disablesid.conf does not disable all rules Forensix Land (Apr 23)