Snort mailing list archives
Re: Snort 2.02 still runs 'disabled' rules
From: John Sage <jsage () finchhaven com>
Date: Wed, 24 Sep 2003 08:42:17 -0700
Michael, et al: On Tue, Sep 23, 2003 at 01:23:08PM -0400, scheidell () secnap net wrote:
This started to happen with snort 1.9.1 and has been reported by several people in the past. It keep up with snort 2.00 and 2.01, and is still in snort 2.0.2 If I have a disabled rule (with a # in front of it) it should not run, but does. Don't know why its the same rule that runs in all of these versions, but it is. here is the rule, cut/paste from my ../rules/web-misc.rules file:
/* snip */
web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) System is FBSD 4.8, ../configure --enable-flexresp it MIGHT be a SIGHUP problem since I did a killall -HUP snort to restart it a while back. MAYBE, with flex-resp enabled, with the disabled rule being the 'n' the rule, with FBSD memory managment, with it being the third tuesday of the month, with a SIGHUP reload of the rules, it sometimes misses the comment. Since I am not the only one that has reported this, maybe there is a way to track this down. Could it be a problem with flex-resp code and SIGHUPS? is it only on FBSD? for now, I will be doing a killall snort and cold restart to see if that fixes the problem.
I have successfully used commenting to disable rules on 1.9.1 and now 2.0.2, viz: tcp202-local.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \ (msg:"TCP inbound to 135 dcom, MS03-039 vuln, unknown";) tcp202-local.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 \ (msg:"TCP inbound to 4444 msblast, unknown";) snort_specs: [jsage@greatwall /etc/snort]$ uname -a Linux greatwall 2.4.18-5 #1 Mon Jun 10 15:14:29 EDT 2002 i586 unknown ./configure --with-mysql /usr/lib/mysql [jsage@greatwall /etc/snort]$ snort -V -*> Snort! <*- Version 2.0.2 (Build 92) By Martin Roesch (roesch () sourcefire com, www.snort.org) [jsage@greatwall /etc/snort]$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110) This was an effective resolution to my earlier question: Subject: [Snort-users] Rules: flags burp using 2.0.2? - John -- "Warning: time of day goes back, taking countermeasures." John Sage InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this message is privileged communication. If you read it even though you aren't supposed to, you're a poopy-head. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.02 still runs 'disabled' rules scheidell (Sep 23)
- Re: Snort 2.02 still runs 'disabled' rules John Sage (Sep 24)