Re: !!Rolling back Snort rule files!!

[JJ Cummings <cummingsj () gmail com>]

The other option that might work, grab all of the rules that are new / changed in this update and disable by sid using 
PP or oinkmaster, that should be maybe a 5 minute exercise.

Sent from the iRoad

On Oct 29, 2010, at 11:50, Miso Patel <miso.patel () gmail com> wrote:

> It looks like many of the MS Kodak imaging malformed tiff rules were from TIFF downloads from Akamai and Deltacom ... 
> looks like a lot of MSNBC news sites.  I am running Snort with gzip decoding eneabled.  Anyone else seeing this?
>
> Thanks, I'm going to check our backups now.
>
> Miso Patel, CISO
>
> On Fri, Oct 29, 2010 at 12:35 PM, Joel Esler <jesler () sourcefire com> wrote:
> There is not an option to use a "previous ruleset", you would have to backup your previous ruleset before you update 
> it, since they are in the flat files.
>
> What SIDs are giving you the problems?  Do you have pcaps for the traffic?
>
> After I received your emails I checked my alerts and I don't have either one of these (I'm not a good test case) 
> alerting on my networks.  Any more information you can provide?
>
> J
>
> On Oct 29, 2010, at 1:24 PM, Miso Patel wrote:
>
> > Today we installed the newest VRT community rules on our Snort sensors.  Almost immediately we started seeing 
> > increased alert volume and further investigation shows that these are all false positives. We see *tons* of events 
> > for the Microsoft Kodak imaging malformed tiff rules along with other alerts like Mozilla firefox image dragging 
> > exploit and more.
> >
> > Right now the SIEM is swamped and I've made the decision to go back to the old rules ... is there an easy way to do 
> > this?  I don't see them online and my engineers tell me that there is not an option in Snort to instruct it to use 
> > the previous ruleset (e.g. snort --use-prev).  Any help is much appreciated.
> >
> > Thank you.
> >
> > Miso Patel, CISO
> > ------------------------------------------------------------------------------
> > Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> > Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> > http://p.sf.net/sfu/nokia-dev2dev_______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs