Re: Snort 2.02 still runs 'disabled' rules

[John Sage <jsage () finchhaven com>]

Michael, et al:

On Tue, Sep 23, 2003 at 01:23:08PM -0400, scheidell () secnap net wrote:
> This started to happen with snort 1.9.1 and has been reported by
> several people in the past.
>
> It keep up with snort 2.00 and 2.01, and is still in snort 2.0.2
>
> If I have a disabled rule (with a # in front of it) it should not
> run, but does.
>
> Don't know why its the same rule that runs in all of these versions,
> but it is. 
>
> here is the rule, cut/paste from my ../rules/web-misc.rules file:
/* snip */
> web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> $HTTP_PORTS (msg:"WEB-MISC robots.txt access";
> flow:to_server,established; uricontent:"/robots.txt"; nocase;
> reference:nessus,10302; classtype:web-application-activity; sid:1852;
> rev:3;)
>
> System is FBSD 4.8, ../configure --enable-flexresp
>
> it MIGHT be a SIGHUP problem since I did a killall -HUP snort to
> restart it a while back.
>
> MAYBE, with flex-resp enabled, with the disabled rule being the
> 'n' the rule, with FBSD memory managment, with it being the third
> tuesday of the month, with a SIGHUP reload of the rules, it sometimes
> misses the comment.
>
> Since I am not the only one that has reported this, maybe there is a
> way to track this down.
>
> Could it be a problem with flex-resp code and SIGHUPS?  is it only on FBSD?
> for now, I will be doing a killall snort and cold restart to see if
> that fixes the problem.

I have successfully used commenting to disable rules on 1.9.1 and now
2.0.2, viz:

tcp202-local.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
 (msg:"TCP inbound to 135 dcom, MS03-039 vuln, unknown";)
tcp202-local.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 \
 (msg:"TCP inbound to 4444 msblast, unknown";)

snort_specs:

[jsage@greatwall /etc/snort]$ uname -a
Linux greatwall 2.4.18-5 #1 Mon Jun 10 15:14:29 EDT 2002 i586 unknown

./configure --with-mysql /usr/lib/mysql

[jsage@greatwall /etc/snort]$ snort -V
-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

[jsage@greatwall /etc/snort]$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)


This was an effective resolution to my earlier question:

Subject: [Snort-users] Rules: flags burp using 2.0.2?



- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users